opencsv / Bugs / #236 apache commons dependency security bug

#236 apache commons dependency security bug

Milestone: v1.0 (example)

Status: closed-duplicate

Owner: Andrew Rucker Jones

Labels: security (1)

Priority: 1

Updated: 2022-10-25

Created: 2022-10-25

Creator: arch0njw

Private: No

Bug notification: https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/

And also these:

https://www.imperva.com/blog/apache-commons-text-vulnerability-cve-2022-42889/#:~:text=CVE-2022-42889%20was%20recently,disables%20the%20problem%20by%20default
https://nvd.nist.gov/vuln/detail/CVE-2022-42889

I have a service I'm no longer able to run because of this issue. If a patch to the latest apache.commons (especially the text library) is not feasible, I'll need to rewrite with another library.

Discussion

Andrew Rucker Jones - 2022-10-25

status: open --> closed-duplicate

assigned_to: Andrew Rucker Jones
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Andrew Rucker Jones - 2022-10-25

We just released version 5.7.1 to address the Commons Text vulnerability.
As for the Commons Collections vulnerability, we use Commons Collections 4.4 and have for a long time. The problem is BeanUtils, which still has not upgraded from Commons Collections 3. Our code does not use the vulnerable Commons Collections. See https://sourceforge.net/p/opencsv/feature-requests/154/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

arch0njw - 2022-10-25

Superb. Thank you!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

apache commons dependency security bug

Group

Searches

Help

#236 apache commons dependency security bug

Discussion