raml-java-parser icon indicating copy to clipboard operation
raml-java-parser copied to clipboard
verified publisher icon raml-org

Upgrade commons-io:commons-io:jar:2.4 to 2.5

Open myhau opened this issue 8 years ago • 1 comments

Apache Commons IO 2.4 contains a vulnerability

https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

https://issues.apache.org/jira/browse/IO-487

Aha! Link: https://mulesoft-roadmap.aha.io/features/APIRAML-72

myhau avatar Oct 19 '17 09:10 myhau

Hi @myhau, thanks for taking the time to report this issue. Can you elaborate more on what the actual vulnerability is?

The first link points to a vulnerability in commons-collections, not commons-io. This one was fixed in 3.2.2 which is the current version in RAML parser.

The second link points to an improvement in the commons-io library with the ability to restrict which classes can be serialized. But the actual vulnerability is in the underlying commons-collections.

aiannucci avatar Oct 24 '17 15:10 aiannucci