Hi Team,
We are using OWASP Dependency-Check to scan for vulnerabilities in our
project.
Even when we use the latest version of activemq-kahadb-store jar (5.15.9
version) we see some vulnerabilities such as *CVE-2018-11775
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11775>* ,
*CVE-2016-3088
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3088> *which
ideally should be fixed in the latest release as per mentioned in the link:
https://activemq.apache.org/components/classic/security
Can you please check and tell if the issue is not fixed or NVD database is
still showing the vulnerability even if the issue is fixed.
Attached the dependency check report when executed by adding the following
dependencies in pom.xml :
<dependency>
<groupId>org.apache.activemq</groupId>
<version>5.15.9</version>
<artifactId>activemq-kahadb-store</artifactId>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<version>5.15.9</version>
<artifactId>activemq-broker</artifactId>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<version>5.15.9</version>
<artifactId>activemq-client</artifactId>
</dependency>
Thanks and Regards,
Venu B
