cloud-sdk-java icon indicating copy to clipboard operation
cloud-sdk-java copied to clipboard
verified publisher icon SAP

Apache Commons Configuration 1.x Vulnerable to Denial-of-Service (DoS)

Open I354655 opened this issue 8 months ago • 1 comments

Hello,

We are consuming the cloud-sdk version 5.17.0 which in turn consumes Apache Commons Configuration 1.10 in our application. Black Duck identified a Medium priority vulnerability with this version. Please confirm that the cloud-sdk-datamodel is not affected by this vulnerability ? If so, please suggest the available version which has the fix for this vulnerability.

Note: On Maven central the latest version are also showing some vulnerability. https://mvnrepository.com/artifact/com.sap.cloud.sdk.datamodel/odata-generator/5.18.0

Dependency Tree: Image

Link to CVE-2025-46392 -> https://nvd.nist.gov/vuln/detail/CVE-2025-46392

Thanks.

I354655 avatar May 19 '25 08:05 I354655

Hi @I354655,

thanks for reaching out!

We are currently looking into migrating to Apache Commons Configuration version 2 and will let you know once we have more information on this.

Jonas-Isr avatar May 19 '25 16:05 Jonas-Isr

Hi @I354655, we have released Cloud SDK 5.19.0 along with the vulnerability fix.

rpanackal avatar May 26 '25 15:05 rpanackal

Hi @I354655, we have released Cloud SDK 5.19.0 along with the vulnerability fix.

Hi @rpanackal Thanks for the update. Can we now start consuming this version in our application ?

I354655 avatar May 27 '25 06:05 I354655