[
https://issues.apache.org/jira/browse/MSHARED-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574761#comment-17574761
]
Richard O'Sullivan commented on MSHARED-848:
--------------------------------------------
Apache Commons IO before 2.7 is vulnerable to
[https://nvd.nist.gov/vuln/detail/CVE-2021-29425], Improper Limitation of a
Pathname to a Restricted Directory". The NIST NVD Severity Score is 4.8,
MEDIUM. Since the latest Long-Term Support (LTS) version of Java is now V17,
the update to commons-io 2.7 or higher or removal of same should be
reconsidered.
> Code Improvement in ReaderFactory to get rid of commons-io dependency
> ---------------------------------------------------------------------
>
> Key: MSHARED-848
> URL: https://issues.apache.org/jira/browse/MSHARED-848
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-shared-utils
> Affects Versions: maven-shared-utils-3.3.3
> Reporter: Karl Heinz Marbaise
> Priority: Minor
>
> Currently the dependency to:
> {code:xml}
> <dependency>
> <groupId>commons-io</groupId>
> <artifactId>commons-io</artifactId>
> <version>2.6</version>
> </dependency>
> {code}
> is only needed within the class {{ReaderFactory}} which imports
> {{org.apache.commons.io.input.XmlStreamReader}}.
> The question: Can that be replaced with something different? In consequence
> we could get rid of the dependency on {{commons-io}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
