jackrabbit icon indicating copy to clipboard operation
jackrabbit copied to clipboard
verified publisher icon apache

Upgrade Apache Commons Collections to v3.2.2

Open martincochrang opened this issue 9 years ago • 1 comments

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

martincochrang avatar Mar 08 '16 18:03 martincochrang

Thanks for the pull request - see https://issues.apache.org/jira/browse/JCR-4080. Reminder: the actual issue tracking happens in Jira, that's why this has remained unnoticed until right now.

reschke avatar Dec 11 '16 16:12 reschke