Mahidhar Chaluvadi created SLING-11162:
------------------------------------------
Summary: Vulnerabilities stopping us from procuring these libs
Key: SLING-11162
URL: https://issues.apache.org/jira/browse/SLING-11162
Project: Sling
Issue Type: Bug
Components: XSS Protection API
Reporter: Mahidhar Chaluvadi
Today we wanted to use latest version of WCM IO Mocks for AEM JUnit Testing,
and our organization denied our request stating there are vulnerabilities in
the dependency chain, and here are the details. Wondering if there is a way to
revise the version including necessary fixes. We are okay to contribute back to
the respective git repo with the required guidance so we dont violate any
standards you may have.
Dependency: MAVEN -
org.apache.sling:org.apache.sling.resourcebuilder:1.0.4:jar
RejectReasons (2)
RejectReason: 2057e68c-41f8-4f57-80fe-54278d93e422
Type: VULNERABILITY
Name: CVE-2016-0956
CVSS Score v2: 7.8
Severity: high
Description: The Servlets Post component 2.3.6 in Apache Sling,
as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote
attackers to obtain sensitive information via unspecified vectors.
RejectReason: 51205845-93e2-4d67-8289-afe4ee35cd65
Type: VULNERABILITY
Name: CVE-2016-6798
CVSS Score v2: 7.5
Severity: high
Description: In the XSS Protection API module before 1.0.12 in
Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to
validate the input string, which allows for XXE attacks in all scripts which
use this method to validate user input, potentially allowing an attacker to
read sensitive data on the filesystem, perform same-site-request-forgery
(SSRF), port-scanning behind the firewall or DoS the application.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
