Details
-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
-
Yes
Description
https://nvd.nist.gov/vuln/detail/CVE-2023-37895
Not an actual security issue as far as Magnolia is concerned, since the components involved aren't used (see also https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw).
We're going to update anyway to the latest version where possible (Magnolia 6.2.x) and suppress the CVE for Magnolia 5.7.x as the latter uses a EOL version of JackRabbit (2.18.x) which no longer receives updates.
—
Some CVE scan tools list as vulnerable also
- info.magnolia.ocm:jackrabbit-ocm:jar:2.0.1
- org.apache.jackrabbit:oak-jackrabbit-api:jar:1.48.0
Those look like false positives owing to the fact that the CPE for CVE-2023-37895 matches any Jackrabbit artifact cpe:2.3:a:apache:jackrabbit::::::::**
Finally, JR stated that Apache Jackrabbit Webapp and Apache Jackrabbit Standalone only are affected and those are components of the Jackrabbit project proper
