royale-compiler icon indicating copy to clipboard operation
royale-compiler copied to clipboard
verified publisher icon apache

Hello, we found a vulnerable dependency in your project

Open JavaEcosystemResearch opened this issue 3 years ago • 0 comments

Hi! We spot a vulnerable dependency in your project, which might threaten your software. And we found that the vulnerable function of this CVE can be easily accessed from your software, there is no constraint along the invocation path to the vulnerable function.

  • CVE_ID: CVE-2021-29425
  • Vulnerable dependency: commons-io:commons-io
  • Vulnerable function: getPrefixLength(java.lang.String)
  • Invocation path to the vulnerable method:
org.apache.royale.compiler.internal.tree.mxml.MXMLNodeBase:resolveSourceAttributePath(org.apache.royale.compiler.internal.tree.mxml.MXMLTreeBuilder,org.apache.royale.compiler.mxml.IMXMLTagAttributeData,org.apache.royale.compiler.internal.tree.mxml.MXMLNodeBase$MXMLNodeInfo)
⬇️
org.apache.commons.io.FilenameUtils:concat(java.lang.String,java.lang.String)
⬇️
org.apache.commons.io.FilenameUtils:getPrefixLength(java.lang.String)

Therefore, maybe you need to upgrade this dependency. Hope this can help you! 😄

JavaEcosystemResearch avatar Aug 22 '22 15:08 JavaEcosystemResearch