[BUILD-1039] Dismiss CVE mismatch about info.magnolia.ocm:jackrabbit-ocm:2.0.1-magnolia Created: 03/Apr/23  Updated: 14/Apr/23  Resolved: 03/Apr/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to TASKMGMT-66 jackrabbit-ocm dragging in commons-be... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:
Approved:
Yes

 Description   
magnolia-community-webapp-6.2-SNAPSHOT.war: jackrabbit-ocm-2.0.1-magnolia.jar (pkg:maven/info.magnolia.ocm/jackrabbit-ocm@2.0.1-magnolia, cpe:2.3:a:apache:jackrabbit:2.0.1:*:*:*:*:*:*:*) : CVE-2015-1833

https://nvd.nist.gov/vuln/detail/CVE-2015-1833

The CVE is about an older JackRabbit core version up to (including) 2.0.5 (Magnolia currently uses JR version 2.20.9) and mistakenly matches our recently released fork of JR OCM library (Magnolia's fork actually resolves another CVE).


Generated at Sun Feb 11 23:47:35 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.