[hibernate-issues] [JIRA] (HHH-14018) Upgrade to dom4j 2.1.3 for CVE-2020-10683
Frans Flippo (JIRA)
jira at hibernate.atlassian.net
Wed May 13 08:14:43 EDT 2020
Frans Flippo ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=5dadc794ba2c320c2c319e21 ) *created* an issue
Hibernate ORM ( https://hibernate.atlassian.net/browse/HHH?atlOrigin=eyJpIjoiZjQ0Nzk5MmUwOGRjNGYzYzk0NDBmYzdjNTg1NTJjNzMiLCJwIjoiaiJ9 ) / Bug ( https://hibernate.atlassian.net/browse/HHH-14018?atlOrigin=eyJpIjoiZjQ0Nzk5MmUwOGRjNGYzYzk0NDBmYzdjNTg1NTJjNzMiLCJwIjoiaiJ9 ) HHH-14018 ( https://hibernate.atlassian.net/browse/HHH-14018?atlOrigin=eyJpIjoiZjQ0Nzk5MmUwOGRjNGYzYzk0NDBmYzdjNTg1NTJjNzMiLCJwIjoiaiJ9 ) Upgrade to dom4j 2.1.3 for CVE-2020-10683 ( https://hibernate.atlassian.net/browse/HHH-14018?atlOrigin=eyJpIjoiZjQ0Nzk5MmUwOGRjNGYzYzk0NDBmYzdjNTg1NTJjNzMiLCJwIjoiaiJ9 )
Issue Type: Bug Affects Versions: 5.3.6 Assignee: Vlad Mihalcea ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Af5e8c0d3-3aae-4bb4-a4e1-25463d60d232 ) Components: hibernate-core Created: 13/May/2020 05:14 AM Fix Versions: 5.2.18, 5.4.0.CR1, 5.1.17, 5.3.7 Priority: Major Reporter: Frans Flippo ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=5dadc794ba2c320c2c319e21 )
--------
Overview
--------
the transitive dependency dom4j 1.6.1 has a CVE, which is used by hibernate core (see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632 ). This version is outdated.
Hibernate core shoould upgrade to version 2.x.x. org.dom4j
------
Detail
------
Related to the forum https://discourse.hibernate.org/t/dom4j-raise-up-a-cve/1362.
( https://hibernate.atlassian.net/browse/HHH-14018#add-comment?atlOrigin=eyJpIjoiZjQ0Nzk5MmUwOGRjNGYzYzk0NDBmYzdjNTg1NTJjNzMiLCJwIjoiaiJ9 ) Add Comment ( https://hibernate.atlassian.net/browse/HHH-14018#add-comment?atlOrigin=eyJpIjoiZjQ0Nzk5MmUwOGRjNGYzYzk0NDBmYzdjNTg1NTJjNzMiLCJwIjoiaiJ9 )
Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100126- sha1:dd08494 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/hibernate-issues/attachments/20200513/cb29dd6e/attachment.html
More information about the hibernate-issues
mailing list