Maven libs in Drools 7.73.0 exposed to CVE-2021-26291
73 views
Skip to first unread message
vsoma
Jul 29, 2022, 9:32:57 PM7/29/22
to Drools Setup
I hope this is the right group for this question. Please do let me know if I need to report it elsewhere.
https://download.jboss.org/drools/release/7.73.0.Final/drools-distribution-7.73.0.Final.zip
includes the following maven libraries:
maven-aether-provider-3.3.9.jar
maven-artifact-3.3.9.jar
maven-builder-support-3.3.9.jar
maven-compat-3.3.9.jar
maven-core-3.3.9.jar
maven-model-3.3.9.jar
maven-model-builder-3.3.9.jar
maven-plugin-api-3.3.9.jar
maven-repository-metadata-3.3.9.jar
maven-settings-3.3.9.jar
maven-settings-builder-3.3.9.jar
maven-artifact-3.3.9.jar
maven-builder-support-3.3.9.jar
maven-compat-3.3.9.jar
maven-core-3.3.9.jar
maven-model-3.3.9.jar
maven-model-builder-3.3.9.jar
maven-plugin-api-3.3.9.jar
maven-repository-metadata-3.3.9.jar
maven-settings-3.3.9.jar
maven-settings-builder-3.3.9.jar
Vulnerability scanners keep reporting some of these as being exposed to the critical CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-26291.
As maven libraries version 3.3.9 is several years old, is there a plan to update them to the latest version (3.8.1 or later)?
Thanks!
Reply all
Reply to author
Forward
0 new messages