[
https://issues.apache.org/jira/browse/MNG-7533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606277#comment-17606277
]
Karl Heinz Marbaise commented on MNG-7533:
------------------------------------------
The given image references a file {{wagon-http-3.5.1-shaded.jar}} and signals
the [CVE|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425] which
describes explicit the usage of {{FileNameUtils.normalize}}. The referenced
{{wagon-http-3.5.1-shaded.jar}} file does not even contain commons io code.
Also the Maven code does not use the described way of code.
> jar v2.6 has medium (CVE-2021-29425) Prisma vulnerability associated with
> maven v3.8.6
> --------------------------------------------------------------------------------------
>
> Key: MNG-7533
> URL: https://issues.apache.org/jira/browse/MNG-7533
> Project: Maven
> Issue Type: Bug
> Environment: Production
> Reporter: John Roddy
> Priority: Major
> Fix For: waiting-for-feedback, wontfix-candidate
>
> Attachments: MicrosoftTeams-image (5).png
>
>
> jar v2.6 has medium (CVE-2021-29425) Prisma vulnerability associated with
> maven v3.8.6. We're using the latest for maven which is v3.8.6. Please
> upgrade jar to the latest to remediate the Prisma vulnerability associated
> with maven v3.8.6. Thank you!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
