[KARAF-7223] Upgrade maven artifacts to mitigate CVE-2021-26291 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Dependency upgrade
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 4.3.2
Fix Version/s: 4.3.8, 4.4.2
Component/s: karaf
Labels:
None
Environment:

Apache Karaf - OSGi

Target Version/s:

4.3.8, 4.4.2

Description

We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2021-26291 (https://nvd.nist.gov/vuln/detail/CVE-2021-26291) on our package because Karaf by default packs maven 3.6.x. The fix for the specified CVE is Maven 3.8.1+. (https://maven.apache.org/docs/3.8.1/release-notes.html) . Apache Karaf should update to use later versions of Maven resolver etc so that this vulnerability is mitigated.

Attachments

Issue Links

is blocked by

KARAF-7579 Upgrade to Pax URL 2.6.12

Resolved

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: Karthick

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jul/21 07:14

Updated:: 14/Oct/22 12:19

Resolved:: 14/Oct/22 12:19