Uploaded image for project: 'Build'
  1. Build
  2. BUILD-448

Dismiss CVE reports related to xz library

    XMLWordPrintable

Details

    • Yes
    • Maintenance 51
    • 1

    Description

      One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp:

      magnolia-empty-webapp-6.2.8-SNAPSHOT.war: xz-1.8.jar (cpe:2.3:a:tukaani:xz:1.8:::::::*) : CVE-2015-4035

      From https://nvd.nist.gov/vuln/detail/CVE-2015-4035
      scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
      Looks like a false positive - version used by Magnolia is https://git.tukaani.org/?p=xz-java.git;a=summary  and does not have such file scripts/xzgrep.in

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                fgrilli Federico Grilli
                fgrilli Federico Grilli
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoR