[BUILD-1125] Update to JackRabbit 2.20.11 Created: 07/Aug/23  Updated: 12/Dec/23  Resolved: 07/Aug/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: BOM 6.2.38

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Release notes required:
Yes
Team: Foundation
Work Started:
Approved:
Yes

 Description   

https://nvd.nist.gov/vuln/detail/CVE-2023-37895

Not an actual security issue as far as Magnolia is concerned, since the components involved aren't used (see also https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw).

We're going to update anyway to the latest version where possible (Magnolia 6.2.x) and suppress the CVE for Magnolia 5.7.x as the latter uses a EOL version of JackRabbit (2.18.x) which no longer receives updates. 


Some CVE scan tools list as vulnerable also 

  • info.magnolia.ocm:jackrabbit-ocm:jar:2.0.1
  • org.apache.jackrabbit:oak-jackrabbit-api:jar:1.48.0

Those look like false positives owing to the fact that the CPE for CVE-2023-37895 matches any Jackrabbit artifact cpe:2.3:a:apache:jackrabbit::::::::**
Finally, JR stated that Apache Jackrabbit Webapp and Apache Jackrabbit Standalone only are affected and those are components of the Jackrabbit project proper
 
 
 
 


Generated at Sun Feb 11 23:48:22 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.