pax-url-aether using org.apache.httpcomponents_httpclient v4.5.6 having CVE-2020-13956 vulnerability

ops4j / org.ops4j.pax.url

Custom URL stream handlers for OSGi

http://team.ops4j.org/wiki/display/paxurl

Other

25 stars 57 forks source link

pax-url-aether using org.apache.httpcomponents_httpclient v4.5.6 having CVE-2020-13956 vulnerability #403

Closed kashish2909 closed 2 years ago

kashish2909 commented 2 years ago

pax-url-aether is having org.apache.httpcomponents_httpclient 4.5.6 which is vulnerable. Please update it to a non-vulnerable version like 5.0.3, 4.5.13. This gets reflected in the security scans that run after production releases. Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13956

jbonofre commented 2 years ago

Actually httpclient 4.5.6 is coming from wagon-http dependency. So, I have either:

upgrade wagon version
exclude httpclient from wagon and define httpclient in pax-url-aether Let me check the wagon update first.

jbonofre commented 2 years ago

OK, upgrading to wagon 3.4.3 doesn't help as it still uses httpclient 4.5.6. I'm excluding httpclient from wagon-http and update httpclient in pax-url-aether.

jbonofre commented 2 years ago

Actually, for the record, I will update both wagon and httpclients all together.