On March 13, 2021 4:19:34 PM UTC, Andrew Marlow <marlow.age...@gmail.com> wrote: >Hello everyone, > >I hope this is the right mailing list in which to discuss such >questions. I >tried on the user taglibs mailing list and they suggested here. > >The library hasn't changed since 2015 (version 1.2.5) but there are >several >CVEs logged against it. They are CVE-2020-29243-5. They are all ranked >as >6.5 medium by NIST.
Those CVEs are nothing to do with the Apache Tomcat standard tag library. >What is the chance of any fix for these issues please? Follow the links for each of the project github issues linked in each of those 3 CVEs for fix details. > The library is >quite >a low level one in that several higher level components have it as a >dependency. This makes such components vulnerable. I'm thinking of >axis2. I >did an owasp analysis on it and that is what reported those CVEs. Then either the tool, or the usage of it, is seriously flawed if it reported those CVEs against the Apache Tomcat standard tag library. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
