Menu

#125 Cx78f40514-81ff,

v1.0 (example)
closed
Scott Conway
None
5
2024-06-16
2024-06-11
MDR
No

opencsv has reports of the following vulnerability

https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/

The framework Apache Commons Collections before 4.3 is vulnerable to Stack Overflow. The function add() in the file src/main/java/org/apache/commons/collections4/list/SetUniqueList.java throws a StackOverflowError when the add() method is called with its own list. To resolve this issue - upgrade to version 4.3. Please note: the package name was changed to org.apache.commons:commons-collections4 on version 4.0.

It would be great to update your dependency on Apache Commons Collections to avoid this vulnerability.

Discussion

  • Scott Conway

    Scott Conway - 2024-06-16
    • status: open --> closed
    • assigned_to: Scott Conway
     

  • Scott Conway

    Scott Conway - 2024-06-16

    Sorry I am closing this one. If you do a mvn dependency:tree on the opencsv project or just look at the pom file you see we are using the latest version (4.4) of common-collections4

    mvn dependency:tree
    [INFO] Scanning for projects...
    [INFO]
    [INFO] ------------------------< com.opencsv:opencsv >-------------------------
    [INFO] Building opencsv 5.9.1-SNAPSHOT
    [INFO] from pom.xml
    [INFO] --------------------------------[ jar ]---------------------------------
    [INFO]
    [INFO] --- dependency:3.6.1:tree (default-cli) @ opencsv ---
    [INFO] com.opencsv:opencsv:jar:5.9.1-SNAPSHOT
    [INFO] +- org.apache.commons:commons-lang3:jar:3.13.0:compile
    [INFO] +- org.apache.commons:commons-text:jar:1.11.0:compile
    [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
    [INFO] | +- commons-logging:commons-logging:jar:1.2:compile
    [INFO] | - commons-collections:commons-collections:jar:3.2.2:compile
    [INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile

    If you are showing 4.3 then your project has an explicit dependency on it or it is pulling it in as a transitive dependency from another project before opencsv is processed and thus getting overridden.

    In the first case you just need to update the dependencies in your pom file. In the later case you will need to add a dependencyManagement section to override the version to 4.4 to prevent this from happening in the future.

    Hope that helps.

    Scott :)

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.