Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5140

ZK loads vulnerable commons-io transitively

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.6.1
    • Fix Version/s: 10.0.0, 9.6.3
    • Component/s: None
    • Security Level: Jimmy
    • Labels:

      Description

      Steps to Reproduce

      Load zk.jar 9.6.1 through maven

      Current Result

       transitively loads commons-fileupload 1.4

      commons-fileupload transitively loads commons-io 2.2

      Expected Result

       Doesn't load vulnerable dependencies, update to commons-io 11 if no compatibility issues

      Debug Information

      Commons-io is vulnerable up to 2.7

      https://mvnrepository.com/artifact/commons-io/commons-io

       

      CKEZ package also loads commons-fileupload 1.4, but specifies commons-io 2.7

      https://github.com/zkoss/zkckeditor/blob/master/ckez/pom.xml

      Workaround

      Set version manually for commons-io in pom file: 

      		<dependency>
      			<groupId>commons-io</groupId>
      			<artifactId>commons-io</artifactId>
      			<version>2.11.0</version>
      		</dependency>
      

        Attachments

          Activity

            People

            Assignee:
            DevChu DevChu
            Reporter:
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: