[BUILD-1208] Dismiss CVE about mvel2-2.4.15+ Created: 02/Jan/24  Updated: 11/Jan/24  Resolved: 08/Jan/24

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
Template:
Acceptance criteria:
[X]* Remove temporary suppression, if dependency is updated
Task DoR:
Empty
Team: Foundation
Work Started:
Approved:
Yes

 Description   

Pulled in via jBPM, still undergoing analysis at the moment of writing.

https://nvd.nist.gov/vuln/detail/CVE-2023-51079
https://github.com/mvel/mvel/issues/348 

[INFO] |  +- org.jbpm:jbpm-runtime-manager:jar:7.74.1.Final:compile
[INFO] |  |  +- org.eclipse.aether:aether-api:jar:1.1.0:compile
[INFO] |  |  +- org.kie.soup:kie-soup-project-datamodel-commons:jar:7.74.1.Final:compile
[INFO] |  |  |  \- org.kie.soup:kie-soup-project-datamodel-api:jar:7.74.1.Final:compile
[INFO] |  |  +- org.mvel:mvel2:jar:2.4.15.Final:compile

The vulnerability was eventually dismissed by the library maintainers. The API in question isn't used by Magnolia directly anyway.


Generated at Sun Feb 11 23:49:09 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.