Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dom4j1.1 dependency #834

Closed
AleksandrNi opened this issue Nov 28, 2022 · 6 comments
Closed

dom4j1.1 dependency #834

AleksandrNi opened this issue Nov 28, 2022 · 6 comments

Comments

@AleksandrNi
Copy link

AleksandrNi commented Nov 28, 2022
edited

could you please update version of the dependency?
dom4j:dom4j CVE-2020-10683 CRITICAL 1.1

[INFO] - org.codehaus.mojo:versions-maven-plugin:jar:2.13.0:compile
[INFO] +- org.apache.maven.reporting:maven-reporting-api:jar:3.1.1:compile
[INFO] +- org.apache.maven.reporting:maven-reporting-impl:jar:3.2.0:compile
[INFO] | +- org.apache.maven:maven-core:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-model:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-settings:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-settings-builder:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-repository-metadata:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-model-builder:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-aether-provider:jar:3.1.0:compile
[INFO] | | | - org.eclipse.aether:aether-spi:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.aether:aether-impl:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.aether:aether-api:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.aether:aether-util:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.0.0.M2a:compile
[INFO] | | | +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] | | | | +- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] | | | | - javax.inject:javax.inject:jar:1:compile
[INFO] | | | +- org.sonatype.sisu:sisu-guice:jar:no_aop:3.1.0:compile
[INFO] | | | | - aopalliance:aopalliance:jar:1.0:compile
[INFO] | | | - org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.0.0.M2a:compile
[INFO] | | | - asm:asm:jar:3.3.1:compile
[INFO] | | +- org.codehaus.plexus:plexus-interpolation:jar:1.16:compile
[INFO] | | +- org.codehaus.plexus:plexus-classworlds:jar:2.4.2:compile
[INFO] | | - org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] | | - org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] | +- org.apache.maven:maven-artifact:jar:3.1.0:compile
[INFO] | +- org.apache.maven:maven-plugin-api:jar:3.1.0:compile
[INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:compile
[INFO] | | - commons-io:commons-io:jar:2.6:compile
[INFO] | +- org.apache.maven.doxia:doxia-decoration-model:jar:1.11.1:compile
[INFO] | - org.apache.maven.doxia:doxia-integration-tools:jar:1.11.1:compile
[INFO] +- org.apache.maven.shared:maven-common-artifact-filters:jar:3.3.2:compile
[INFO] +- org.apache.maven.wagon:wagon-file:jar:3.5.2:compile
[INFO] | - org.apache.maven.wagon:wagon-provider-api:jar:3.5.2:compile
[INFO] +- org.apache.maven.doxia:doxia-core:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-logging-api:jar:1.11.1:compile
[INFO] | +- org.codehaus.plexus:plexus-container-default:jar:2.1.0:compile
[INFO] | | +- org.apache.xbean:xbean-reflect:jar:3.7:compile
[INFO] | | - com.google.collections:google-collections:jar:1.0:compile
[INFO] | +- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile
[INFO] | - org.apache.commons:commons-text:jar:1.3:compile
[INFO] +- org.apache.maven.doxia:doxia-sink-api:jar:1.11.1:compile
[INFO] +- org.apache.maven.doxia:doxia-site-renderer:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-skin-model:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-module-xhtml:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-module-xhtml5:jar:1.11.1:compile
[INFO] | +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-10:compile
[INFO] | +- org.codehaus.plexus:plexus-velocity:jar:1.2:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | | - commons-lang:commons-lang:jar:2.4:compile
[INFO] | +- org.apache.velocity:velocity-tools:jar:2.0:compile
[INFO] | | +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] | | +- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | +- commons-chain:commons-chain:jar:1.1:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.1:compile
[INFO] | | +- dom4j:dom4j:jar:1.1:compile
@slawekjaranowski
Copy link
Member

please provide an example project which show how CVE-2020-10683 can be used to in versions-maven-plugin.

@jarmoniuk
Copy link
Contributor

jarmoniuk commented Dec 18, 2022
edited

Are you using org.apache.maven.reporting:maven-reporting-impl or org.codehaus.mojo:versions-maven-plugin as a project dependency @AleksandrNi?

@jarmoniuk
Copy link
Contributor

Resolved by #877?

@slawekjaranowski
Copy link
Member

Not exactly - there is a legacy dependency dom4j:dom4j which does not have fix, fix is in artifact with new cordinate org.dom4j:dom4j
Will be fixed in new doxia

@slawekjaranowski
Copy link
Member

Now close as won't fix by versions.

@slawekjaranowski slawekjaranowski closed this as not planned Won't fix, can't repro, duplicate, stale Dec 23, 2022
@jarmoniuk
Copy link
Contributor

Even so, I don't think how this could possibly be used for an exploit unless somebody used the plugin as a dependency in their project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jarmoniuk @slawekjaranowski @AleksandrNi