Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7843

commons-fileupload has known security vulnerabilities

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: 7.6.0, 7.7.0-alpha2
    • Fix Version/s: 7.8.0, 7.8.0-alpha1
    • Component/s: None
    • Labels:
      None

      Description

      camunda-engine-rest-core has compile time dependency commons-fileupload that has known security vulnerabilities:

      https://nvd.nist.gov/vuln/detail/CVE-2016-3092
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031

      +- org.camunda.bpm.webapp:camunda-webapp:jar:classes:7.6.0:compile
      |  |  \- org.camunda.bpm:camunda-engine-rest-core:jar:7.6.0:compile
      |  |     +- commons-fileupload:commons-fileupload:jar:1.2.2:compile
      |  |     \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.8.8:compile
      |  |        \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.8.8:compile
      

      solution would be to upgrade commons-fileupload to the newest version

        Activity

        Hide
        meyer Daniel Meyer added a comment -

        Hi Piotr, thank you for reporting this security vulnerability. We will address it for our next releases

        Show
        meyer Daniel Meyer added a comment - Hi Piotr, thank you for reporting this security vulnerability. We will address it for our next releases

          People

          • Assignee:
            sebastian.menski Sebastian Menski
            Reporter:
            pczekaj Piotr Czekaj
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development