ZK loads vulnerable commons-io transitively

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major
    • 10.0.0, 9.6.3
    • Affects Version/s: 9.6.1
    • Component/s: None
    • Security Level: Jimmy
    • None

      Steps to Reproduce

      Load zk.jar 9.6.1 through maven

      Current Result

       transitively loads commons-fileupload 1.4

      commons-fileupload transitively loads commons-io 2.2

      Expected Result

       Doesn't load vulnerable dependencies, update to commons-io 11 if no compatibility issues

      Debug Information

      Commons-io is vulnerable up to 2.7

      https://mvnrepository.com/artifact/commons-io/commons-io

       

      CKEZ package also loads commons-fileupload 1.4, but specifies commons-io 2.7

      https://github.com/zkoss/zkckeditor/blob/master/ckez/pom.xml

      Workaround

      Set version manually for commons-io in pom file: 

      		<dependency>
      			<groupId>commons-io</groupId>
      			<artifactId>commons-io</artifactId>
      			<version>2.11.0</version>
      		</dependency>
      

            Assignee:
            DevChu
            Reporter:
            MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: