Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eureka client using version of apache commons-configuration vulnerable to CVE-2024-29131 and CVE-2024-29133 #1556

Open
eddboyer opened this issue Aug 30, 2024 · 0 comments
Open

Eureka client using version of apache commons-configuration vulnerable to CVE-2024-29131 and CVE-2024-29133 #1556

eddboyer opened this issue Aug 30, 2024 · 0 comments

Comments

@eddboyer
Copy link

The Eureka client library is using commons-configuration:commons-configuration:1.10 which is vulnerable to the following CVEs:

Both of these vulnerabilities were initially reported as only affecting org.apache.commons:commons-configuration2 however they're now getting flagged against commons-configuration:commons-configuration:1.10 also. There is some explanation here: ESAPI/esapi-java-legacy#843

[Vendor] team discovered that [CVE-2024-29131] was also introduced in version 1.8 of the predecessor package commons-configuration instead of only affecting versions from 2.0 before 2.10.1 as stated in the advisory.

[Vendor] team discovered that [CVE-2024-29133] was actually introduced in version 1.0-rc1 of the commons-configuration package instead of the version 2.0.0 of the commons-configuration2 package as stated in the advisory.

The current recommendation is to upgrade to org.apache.commons:commons-configuration2:2.10.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eddboyer