Vulnerabilities on Transitive Dependencies in Commons Compress 1.25

Question

Vulnerabilities on Transitive Dependencies in Commons Compress 1.25

ra-lukas opened this issue 5 months ago · comments

Checkmarx in IntelliJ is warning on the use of org.apache.commons:commons-compress:1.25.0

Provides transitive vulnerable dependency maven:org.apache.commons:commons-compress:1.25.0
CVE-2024-26308 7.5 Allocation of Resources Without Limits or Throttling vulnerability with High severity found
CVE-2024-25710 5.5 Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found

Looks like this was addressed in 1.26.

Just a heads up.

github-actions · Answer 1 · Fri Mar 22 2024 20:01:28 GMT+0800 (China Standard Time)

Thank you for contributing to Poiji! Feel free to create a PR If you want to contribute directly :)

Lukas Bradley · Answer 2 · Fri Mar 22 2024 20:07:16 GMT+0800 (China Standard Time)

Looks like the problem is with POI, which isn't scheduled to be updated for a while.... feel free to delete this issue if desired.

Hakan Özler · Answer 3 · Fri Mar 22 2024 22:53:37 GMT+0800 (China Standard Time)

Thanks @ra-lukas !

stale · Answer 4 · Mon Apr 22 2024 15:47:41 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.