ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Monkman (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)
Date Fri, 19 Mar 2021 16:15:00 GMT

    [ https://issues.apache.org/jira/browse/WSS-683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304999#comment-17304999
] 

Nick Monkman edited comment on WSS-683 at 3/19/21, 4:14 PM:
------------------------------------------------------------

Yes.  Here is the relevant output of 'gradle dependencies'.  The \{{velocity-1.7 }} reference
is near the bottom

 
{noformat}
|    +--- org.apache.wss4j:wss4j-ws-security-common:2.3.1
|    |    +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
|    |    +--- org.apache.santuario:xmlsec:2.2.1
|    |    |    +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
|    |    |    +--- commons-codec:commons-codec:1.15
|    |    |    \--- com.fasterxml.woodstox:woodstox-core:5.2.1
|    |    |         \--- org.codehaus.woodstox:stax2-api:4.2
|    |    +--- org.opensaml:opensaml-saml-impl:3.4.5
|    |    |    +--- org.opensaml:opensaml-profile-api:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-core:3.4.5
|    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    +--- io.dropwizard.metrics:metrics-core:3.1.2
|    |    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.7 -> 1.8.0-beta2
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1
|    |    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    |    +--- com.google.code.findbugs:jsr305:3.0.1 -> 3.0.2
|    |    |    |    |    |    +--- com.google.guava:guava:20.0 -> 29.0-jre (*)
|    |    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.4.5
|    |    |    |    |    +--- org.opensaml:opensaml-core:3.4.5 (*)
|    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-saml-api:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.4.5
|    |    |    |    |    +--- org.opensaml:opensaml-security-api:3.4.5
|    |    |    |    |    |    +--- org.opensaml:opensaml-core:3.4.5 (*)
|    |    |    |    |    |    +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
|    |    |    |    |    |    +--- org.bouncycastle:bcprov-jdk15on:1.59 -> 1.68
|    |    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- org.opensaml:opensaml-soap-api:3.4.5
|    |    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
|    |    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
|    |    |    |    |    +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-storage-api:3.4.5
|    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-storage-api:3.4.5 (*)
|    |    |    +--- org.opensaml:opensaml-security-impl:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-security-api:3.4.5 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-xmlsec-impl:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-core:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-security-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
|    |    |    |    +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
|    |    |    |    +--- org.opensaml:opensaml-security-impl:3.4.5 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-soap-impl:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-soap-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.apache.velocity:velocity:1.7
|    |    |    |    +--- commons-collections:commons-collections:3.2.1 -> 3.2.2
|    |    |    |    \--- commons-lang:commons-lang:2.4
|    |    |    +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2{noformat}
 


was (Author: kraberus):
Yes.  Here is the relevant output of 'gradle dependencies'.  The {{velocity-1.7 }}reference
is near the bottom

 
{noformat}
|    +--- org.apache.wss4j:wss4j-ws-security-common:2.3.1
|    |    +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
|    |    +--- org.apache.santuario:xmlsec:2.2.1
|    |    |    +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2
|    |    |    +--- commons-codec:commons-codec:1.15
|    |    |    \--- com.fasterxml.woodstox:woodstox-core:5.2.1
|    |    |         \--- org.codehaus.woodstox:stax2-api:4.2
|    |    +--- org.opensaml:opensaml-saml-impl:3.4.5
|    |    |    +--- org.opensaml:opensaml-profile-api:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-core:3.4.5
|    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    +--- io.dropwizard.metrics:metrics-core:3.1.2
|    |    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.7 -> 1.8.0-beta2
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1
|    |    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    |    +--- com.google.code.findbugs:jsr305:3.0.1 -> 3.0.2
|    |    |    |    |    |    +--- com.google.guava:guava:20.0 -> 29.0-jre (*)
|    |    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.4.5
|    |    |    |    |    +--- org.opensaml:opensaml-core:3.4.5 (*)
|    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-saml-api:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.4.5
|    |    |    |    |    +--- org.opensaml:opensaml-security-api:3.4.5
|    |    |    |    |    |    +--- org.opensaml:opensaml-core:3.4.5 (*)
|    |    |    |    |    |    +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
|    |    |    |    |    |    +--- org.bouncycastle:bcprov-jdk15on:1.59 -> 1.68
|    |    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- org.opensaml:opensaml-soap-api:3.4.5
|    |    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
|    |    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
|    |    |    |    |    +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- org.opensaml:opensaml-messaging-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-storage-api:3.4.5
|    |    |    |    |    +--- joda-time:joda-time:2.9 -> 2.10.8
|    |    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-storage-api:3.4.5 (*)
|    |    |    +--- org.opensaml:opensaml-security-impl:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-security-api:3.4.5 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-xmlsec-impl:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-core:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-security-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*)
|    |    |    |    +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*)
|    |    |    |    +--- org.opensaml:opensaml-security-impl:3.4.5 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.opensaml:opensaml-soap-impl:3.4.5
|    |    |    |    +--- org.opensaml:opensaml-soap-api:3.4.5 (*)
|    |    |    |    +--- org.opensaml:opensaml-profile-api:3.4.5 (*)
|    |    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2
|    |    |    +--- org.apache.velocity:velocity:1.7
|    |    |    |    +--- commons-collections:commons-collections:3.2.1 -> 3.2.2
|    |    |    |    \--- commons-lang:commons-lang:2.4
|    |    |    +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*)
|    |    |    +--- net.shibboleth.utilities:java-support:7.5.1 (*)
|    |    |    +--- commons-codec:commons-codec:1.10 -> 1.15
|    |    |    \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2{noformat}
 

> WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)
> --------------------------------------------------------------------------------------
>
>                 Key: WSS-683
>                 URL: https://issues.apache.org/jira/browse/WSS-683
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.3.1
>            Reporter: Nick Monkman
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>              Labels: security
>
> WSS4J has a transitive dependency on velocity 1.7 (via OpenSAML 3.x) which is subject
to a high security vulnerability ( [https://nvd.nist.gov/vuln/detail/CVE-2020-13936] )
> WSS4J should update its OpenSAML dependency to 4.x thereby allowing velocity-core-engine
to be updated to the patched version (2.3)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message