Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[metro-dev] Vulnerability SONATYPE-2012-0050 via commons-codec 1.13
Hi team
webservices-rt 2.4.7 is flagging as vulnerable due to the inclusion of commons-codec 1.13, which is vulnerable to SONATYPE-2012-0050.

---
The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32 and Base64 classes fails to reject malformed Base32 and Base64 encoded strings and consequently decode them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.
While a fix was earlier made to commons-codec:commons-codec version 1.13, it was later found out to be incomplete. A complete fix exists in version 1.14 and that is the version users should upgrade to.
---

I haven't found any other issues or PRs relating to this and your main branch appears to include commons-codec 1.13 too.

Can this dependency be updated to 1.14 or greater to resolve this vulnerability?


Thanks,
Alex

Back to the top