[BUILD-1127] Dismiss CVE mismatch about Quartz library (CVE-2023-39017) Created: 07/Aug/23 Updated: 07/Nov/23 Resolved: 08/Aug/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoR: |
Empty
|
||||||||
| Team: | |||||||||
| Work Started: | |||||||||
| Approved: |
Yes
|
||||||||
| Description |
|
https://nvd.nist.gov/vuln/detail/CVE-2023-39017 The issue would actually concern the artifact quartz-jobs which Magnolia doesn't use but the CPE erroneously matches any quartz artifact, see also https://github.com/quartz-scheduler/quartz/issues/943#issuecomment-1666141115 [INFO] | +- info.magnolia.task:magnolia-task-management:jar:1.2.11:compile [INFO] | | +- org.quartz-scheduler:quartz:jar:2.3.2:compile |