You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By using httpclient@4.5.13, that library is importing commons-logging/commons-logging@1.2 which then has a very old version of log4j in use, with several critical vulnerabilities. The current one that is being raised by our SBOM scanning is https://www.cve.org/CVERecord?id=CVE-2020-9493
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
NOTE: these log4j vulnerabilities are classified as Critical, which for PCI compliance has a 30 day expected resolution. As a payment provider I hope that this might help escalate the attention of this issue 🤞
The text was updated successfully, but these errors were encountered:
By using
httpclient@4.5.13, that library is importingcommons-logging/commons-logging@1.2which then has a very old version of log4j in use, with several critical vulnerabilities. The current one that is being raised by our SBOM scanning is https://www.cve.org/CVERecord?id=CVE-2020-9493The lastest
httpclient4version seems to be 4.5.14, which doesn't address the commons-logging library version, but you can maybe try upgrading tohttpclient5https://mvnrepository.com/artifact/org.apache.httpcomponents.client5/httpclient5NOTE: these log4j vulnerabilities are classified as Critical, which for PCI compliance has a 30 day expected resolution. As a payment provider I hope that this might help escalate the attention of this issue 🤞
The text was updated successfully, but these errors were encountered: