Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5140

ZK loads vulnerable commons-io transitively

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 10.0.0, 9.6.3
    • 9.6.1
    • None
    • Security Level: Jimmy

      Steps to Reproduce

      Load zk.jar 9.6.1 through maven

      Current Result

       transitively loads commons-fileupload 1.4

      commons-fileupload transitively loads commons-io 2.2

      Expected Result

       Doesn't load vulnerable dependencies, update to commons-io 11 if no compatibility issues

      Debug Information

      Commons-io is vulnerable up to 2.7

      https://mvnrepository.com/artifact/commons-io/commons-io

       

      CKEZ package also loads commons-fileupload 1.4, but specifies commons-io 2.7

      https://github.com/zkoss/zkckeditor/blob/master/ckez/pom.xml

      Workaround

      Set version manually for commons-io in pom file: 

      		<dependency>
			<groupId>commons-io</groupId>
			<artifactId>commons-io</artifactId>
			<version>2.11.0</version>
		</dependency>

            DevChu DevChu
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: