Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2277

resteasy-jsapi-testing pulls in vulnerable dependencies

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 4.4.0.Final, 3.9.1.Final
    • 4.3.1.Final, 3.9.0.Final
    • None
    • None

      resteasy-jsapi-testing pulls in vulnerable dependencies

      Analyzed using https://snyk.io/, see attache pdf report.
      Selenium-java@2.51.0 was released Feb 2016
      https://mvnrepository.com/artifact/org.seleniumhq.selenium/selenium-java/2.51.0

      Dependency and code needs to be updated to use the latest version.
      It's "only" testing dependency, but test code should be treated the same way as main code.

      Information Disclosure
      Vulnerable module: io.netty:netty
      Introduced through: org.seleniumhq.selenium:selenium-java@2.51.0

      Timing Attack
      Vulnerable module: org.eclipse.jetty:jetty-util
      Introduced through: org.seleniumhq.selenium:selenium-java@2.51.0

      Deserialization of Untrusted Data
      Vulnerable module: com.google.guava:guava
      Introduced through: org.seleniumhq.selenium:selenium-java@2.51.0 and org.seleniumhq.selenium:selenium-chrome-driver@2.51.0

      Denial of Service (DoS)
      Vulnerable module: io.netty:netty
      Introduced through: org.seleniumhq.selenium:selenium-java@2.51.0

      Cross-site Scripting (XSS)
      Vulnerable module: org.eclipse.jetty:jetty-util
      Introduced through: org.seleniumhq.selenium:selenium-java@2.51.0

              rhn-support-asoldano Alessio Soldano
              rsvoboda@redhat.com Rostislav Svoboda
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: