Vulnerability detected in a particular version in build.gradle

Question

Vulnerability detected in a particular version in build.gradle

chughpiyush opened this issue 5 years ago · 5 comments

Lately I was testing for vulnerabilities in my application and it was when I realized that one of the transitive vulnerable dependency was coming in from this project.

Then I ran Owasp dependency checker and got to know that commons-compress-1.2.jar is vulnerable to CVE-2012-2098.

CVE-2012-2098  suppress

Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
CWE-310 Cryptographic Issues

I think we should fix it in this project and I can give a Pull Request as soon as this issue is approved.

Answer 1 · 2020-01-31T17:15:26.000Z

👍

A PR that updates the dependencies would be appreciated.

Answer 2 · 2020-01-31T17:28:04.000Z

A PR that updates the dependencies would be appreciated.

I would need to sign the CLA first, is that right?

Answer 3 · 2020-01-31T18:01:07.000Z

A PR that updates the dependencies would be appreciated.

I would need to sign the CLA first, is that right?

yes

Answer 4 · 2020-02-05T09:52:45.000Z

This issue is solved by #67.

@chughpiyush Thank you again for raising this and contributing a fix.

Answer 5 · 2020-02-06T08:15:03.000Z

@chughpiyush We've published v0.8.0 including your contributions.