[SHA-2299] [Security Issue] plexus-utils 2.0.6 - Alfresco JIRA

Details

Type: Bug
Status: Done
Resolution: Done
Affects Version/s: 5.2.N, 6.0.N, 6.N
Fix Version/s: 5.2.N, 6.0.N, 6.N
Component/s: None
Labels:
None

Bug Priority:

Category 1
Sprint:
Sibelius
Story Points:
3

Description

Found by Veracode scan (score 9.8): https://saas.whitesourcesoftware.com/Wss/WSS.html#!libraryDetails;uuid=31a4bf00-65b8-4f87-9206-5cb283bf095d;project=1013379

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487

"Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings."

Dependency hierarchy ("<-" = "brings in"):

Share <- spring-surf 6.11 <- maven-artifact 3.0.3 <- plexus-utils 2.0.6

Attachments

Issue Links

Depended on by

SHA-2301 [Spike] Investigate the security issues with CVSS 3 Score >= 9.5 on Share, Surf, Webscripts and Aikau

Done

Structure

Activity

People

Assignee:

Unassigned

Reporter:

Alexandru Balmus

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

15-Mar-19 11:49 AM

Updated:

17-Jul-20 01:24 PM

Resolved:

29-Mar-19 01:19 PM

Structure Helper Panel