Major Steps to Reproduce
Load zk.jar 9.6.1 through maven
Current Result
transitively loads commons-fileupload 1.4
commons-fileupload transitively loads commons-io 2.2
Expected Result
Doesn't load vulnerable dependencies, update to commons-io 11 if no compatibility issues
Debug Information
Commons-io is vulnerable up to 2.7
https://mvnrepository.com/artifact/commons-io/commons-io
CKEZ package also loads commons-fileupload 1.4, but specifies commons-io 2.7
https://github.com/zkoss/zkckeditor/blob/master/ckez/pom.xml
Workaround
Set version manually for commons-io in pom file:
<dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId> <version>2.11.0</version> </dependency>