You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Jacoco depends on maven Reporting Impl 2.1, which depends on Doxia 1.1.2, which depends on Xerces 2.8.1, which has this CVE:
CVE-2012-0881: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
This is classified as a HIGH severity vulnerability.
Upgrading to Maven Reporting Impl 3.0 resolves this issue, as 3.0 uses Doxia 1.7, which has no dependency on Xerces at all.
Thanks.
The text was updated successfully, but these errors were encountered:
First of all there is absolutely no way to exploit CVE-2012-0881 via jacoco-maven-plugin because these transitive dependencies on doxia and xerces are actually not used at runtime. I'm omitting proof of this for the time being as a kind of exercise for potential contributors.
This dependency is not really useful for JaCoCo reports and has several
transitive dependencies where security vulnerabilities have been
reported.
Fixes#641, #920
This dependency is not really useful for JaCoCo reports and has several
transitive dependencies where security vulnerabilities have been
reported.
Fixes#641, #920
Hi,
Jacoco depends on maven Reporting Impl 2.1, which depends on Doxia 1.1.2, which depends on Xerces 2.8.1, which has this CVE:
CVE-2012-0881: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
This is classified as a HIGH severity vulnerability.
Upgrading to Maven Reporting Impl 3.0 resolves this issue, as 3.0 uses Doxia 1.7, which has no dependency on Xerces at all.
Thanks.
The text was updated successfully, but these errors were encountered: