Very high vulnerability in 1.7.9

[AlexanderNikitin-Smartbear]

Hi, we've scanned the library with Veracode, and it found a very high vulnerability. The report is attached. rhino.pdf

Regards, Alexander Nikitin

[gbrail]

The rhino shell (which is what you get when you run "java -jar" on the Rhino JAR) has a bunch of commands including one that lets you execute a shell command. That's by design. People who are running Rhino on sensitive environments should not be using that part of Rhino. If anyone has any idea how to update the packaging or README to keep people from running into this it'd be a great contribution.

On Wed, Aug 22, 2018 at 5:49 AM AlexanderNikitin-Smartbear < notifications@github.com> wrote:

Hi, we've scanned the library with Veracode, and it found a very high vulnerability. The report is attached. rhino.pdf https://github.com/mozilla/rhino/files/2310329/rhino.pdf

Regards, Alexander Nikitin

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/rhino/issues/474, or mute the thread https://github.com/notifications/unsubscribe-auth/AAf0a78RLLHsUGi-lIHzQ4gcn57jPNLQks5uTVNbgaJpZM4WHl7s .

[onkobu]

Move the shell-classes into a separate artefact depending on the core classes? A change to README doesn't keep anyone from running a main class part of the artefact.