Security vulnerability - libplexus-utils #101
Comments
|
Thanks for the report! |
|
plexus-utils 3.0.15 was being pulled in by the scm-manager bits. Newer versions of these artifacts don't include explicit dependencies on plexus-utils, and allow the other project dependencies (maven core, etc) to pull in plexus-utils. I've bumped the SCM api and related artifacts to 1.11.1, and added an explicit dependency on the latest 3.0.x release of plexus-utils (as of now) which is 3.0.24. This will be released shortly as hotfix release 2.1.1... |
Merged
|
Marking closed, with the release of 2.1.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're looking forward to leveraging this plugin as our enterprise solution! Our corporate security scans have flagged one NVD sourced vulnerability (CVE-2017-1000487) related to the Plexus-utils library:
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Requesting that the next release be built with plexus-utils >= 3.0.16 (current version 3.0.15)
The text was updated successfully, but these errors were encountered: