[NXP-32219] Upgrade logback-core to fix CVE - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2021.0
Fix Version/s: 2021.48
Component/s: Distribution / Installers, Template Rendering

Tags:
Backlog priority:
900
Sprint:
nxplatform #103, nxplatform #104

Description

nuxeo-template-rendering currently has dependency on jxls version 2.12.0 which uses logback-core 1.2.10. This should be upgraded to use a minimum of logback-core 1.2.13 which fixes CVE-2023-6378.

See results from mvn dependency:tree for LTS 2021 below:

org.nuxeo.template.rendering:nuxeo-template-rendering-jxls:jar:2021.43-SNAPSHOT
 \- org.jxls:jxls:jar:2.12.0:compile
    \- ch.qos.logback:logback-core:jar:1.2.10:compile

org.nuxeo.template.rendering:nuxeo-template-rendering-core-dependencies:pom:2021.43-SNAPSHOT
 \- org.nuxeo.template.rendering:nuxeo-template-rendering-jxls:jar:2021.43-SNAPSHOT:compile
    \- org.jxls:jxls:jar:2.12.0:compile
       \- ch.qos.logback:logback-core:jar:1.2.10:compile

Attachments

Activity

People

Assignee:

Nour Al Kotob

Reporter:

Henry Miskaryan

Participants:

Henry Miskaryan, Jenkins, Nour Al Kotob

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2023-12-20 20:11

Updated:

2024-01-22 09:12

Resolved:

2024-01-15 10:45