Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1208

Dismiss CVE about mvel2-2.4.15+

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Neutral
    • None
    • None
    • None
    • Yes

    Description

      Pulled in via jBPM, still undergoing analysis at the moment of writing.

      https://nvd.nist.gov/vuln/detail/CVE-2023-51079
      https://github.com/mvel/mvel/issues/348 

      [INFO] |  +- org.jbpm:jbpm-runtime-manager:jar:7.74.1.Final:compile
      [INFO] |  |  +- org.eclipse.aether:aether-api:jar:1.1.0:compile
      [INFO] |  |  +- org.kie.soup:kie-soup-project-datamodel-commons:jar:7.74.1.Final:compile
      [INFO] |  |  |  \- org.kie.soup:kie-soup-project-datamodel-api:jar:7.74.1.Final:compile
      [INFO] |  |  +- org.mvel:mvel2:jar:2.4.15.Final:compile
      

      The vulnerability was eventually dismissed by the library maintainers. The API in question isn't used by Magnolia directly anyway.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              fgrilli Federico Grilli
              fgrilli Federico Grilli
              Foundation
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Work Started:

                Checklists

                  Task DoR