Details
-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
Description
https://nvd.nist.gov/vuln/detail/CVE-2021-43138
One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp: magnolia-empty-webapp-6.2-SNAPSHOT.war: asyncutil-0.1.0.jar (pkg:maven/com.ibm.async/asyncutil@0.1.0, cpe:2.3:a:async_project:async:0.1.0:*:*:*:*:*:*:*) : CVE-2021-43138
The vulnerable JS library is https://github.com/caolan/async (not used by Magnolia).
Magnolia pulls in a completely different and unrelated Java library called https://github.com/IBM/java-async-util transitively via RestEasy: artifact id matches but group id is different.
[INFO] | | | +- org.jboss.resteasy:resteasy-core:jar:4.6.1.Final:compile [INFO] | | | | +- com.ibm.async:asyncutil:jar:0.1.0:compile
Checklists
Acceptance criteria