[BUILD-1208] Dismiss CVE about mvel2-2.4.15+ Created: 02/Jan/24 Updated: 11/Jan/24 Resolved: 08/Jan/24 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
[X]*
Remove temporary suppression, if dependency is updated
|
||||
| Task DoR: |
Empty
|
||||
| Team: | |||||
| Work Started: | |||||
| Approved: |
Yes
|
||||
| Description |
|
Pulled in via jBPM, still undergoing analysis at the moment of writing. https://nvd.nist.gov/vuln/detail/CVE-2023-51079 [INFO] | +- org.jbpm:jbpm-runtime-manager:jar:7.74.1.Final:compile [INFO] | | +- org.eclipse.aether:aether-api:jar:1.1.0:compile [INFO] | | +- org.kie.soup:kie-soup-project-datamodel-commons:jar:7.74.1.Final:compile [INFO] | | | \- org.kie.soup:kie-soup-project-datamodel-api:jar:7.74.1.Final:compile [INFO] | | +- org.mvel:mvel2:jar:2.4.15.Final:compile The vulnerability was eventually dismissed by the library maintainers. The API in question isn't used by Magnolia directly anyway. |