mockserver-client-java provides transitive vulnerable dependency maven:commons-collections:commons-collections:3.2.2 (CWE-674) #1822
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
Including mockserver-client-java as a maven dependency will pull a vulnerable transitive dependency found in commons-collection:3.2.2
Vulnerability information is found here (CWE-674 classified HIGH due to attack vector network and low complexity for attacker):
https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea
Solution is to update commons-collection dependency to use as problem was fixed in following PR:
https://github.com/apache/commons-collections/pull/57/files
Latest version is:
org.apache.commons
commons-collections4
4.4
What you are trying to do
Was simply using the library as part of our own project. Our security scanning tools detected the vulnerability.
MockServer version
The version you are using: 5.15.0
To Reproduce
Steps to reproduce the issue:
org.mock-server
mockserver-client-java
5.15.0
Expected behaviour
Latest versions of all libraries are being used, minimizing the number of possible security vulnerabilities reported.
MockServer Log
N/A
The text was updated successfully, but these errors were encountered: