[MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version

[jira-importer]

Polu Ram Charan Teja opened MNG-7513 and commented

In the maven latest version 3.8.6 one dependency is identified with known vulnerabilities in commons-io-2.6.jar CVE-2021-29425. so please suggest if you have plan to upgrade commons-io to latest version as we are getting impacted due to security checks

---

Affects: 3.8.6

Issue Links:

• MNG-7533 jar v2.6 has medium (CVE-2021-29425) Prisma vulnerability associated with maven v3.8.6
  ("is duplicated by")

Remote Links:

• GitHub Pull Request #771
  

Backported to: 4.0.0-alpha-2, 3.9.0, 3.8.7

0 votes, 5 watchers

[jira-importer]

Michael Osipov commented

Cannot happen on the 3.8.x line.

[jira-importer]

Polu Ram Charan Teja commented

Could you please provide an estimated date for this fix?

[jira-importer]

Michael Osipov commented

We don't provide any time estimates.

[jira-importer]

Michael Osipov commented

Do you expect Maven 3.8.7 with a fix?

[jira-importer]

Polu Ram Charan Teja commented

That would be very helpful, I was expecting a  version and a date to raise the PSE exception, our security requires these details.

[jira-importer]

Michael Osipov commented

Whatever PSE exception is...Upgrade to 2.7 cannot happen in 3.8.7 because we have a Java 7 baseline. Any upgrade of Commons IO requires Java 8. Therefore, you need to solve the problem yourself. I recommend you to check whether a 3.9.0 snapshot fixes the issue. I am certain it does.

[jira-importer]

Sylwester Lachiewicz commented

we do not deliver commons-io.jar with maven dist.

Could you specify what exactly dependency pull this commons-io (maybe screenshot with dependency tree?)

[jira-importer]

Michael Osipov commented

Sylwester Lachiewicz, we do as a transitive dep:

[INFO] +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:compile
[INFO] |  \- commons-io:commons-io:jar:2.6:compile

and the only thing used from Maven Shared Utils are message colorization stuff. We can take a look at all relevant code in MSU and likely exclude Commons IO.

[jira-importer]

Michael Osipov commented

Working in a PR to completely remove Commons IO from distro.

[jira-importer]

Michael Osipov commented

Fixed with efa9f0c67888c0d88e6611560994c8c00ca92491 and with with f164ab5f89c85657f6f5d8a6c05978e60c87dcc5 for maven-3.9.x branch.

[jira-importer]

Michael Osipov commented

Fixed with ba058ee3972b4909baccb92fd0ebc2cf923ded85 for maven-3.8.x branch.