-
Task
-
Resolution: Done
-
Neutral
-
POMs 41
-
-
Empty show more show less
-
Empty show more show less
-
Yes
-
Maintenance 51
-
1
One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp:
magnolia-empty-webapp-6.2.8-SNAPSHOT.war: xz-1.8.jar (cpe:2.3:a:tukaani:xz:1.8:::::::*) : CVE-2015-4035
From https://nvd.nist.gov/vuln/detail/CVE-2015-4035
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
Looks like a false positive - version used by Magnolia is https://git.tukaani.org/?p=xz-java.git;a=summary and does not have such file scripts/xzgrep.in
- is cloned by
-
BUILD-449 Dismiss CVE reports related to daisydiff-1.2-magnolia dependency
- Closed