New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-40743 - Critical Axis library vulnerability #1424
Comments
Do you have any plans to help solve this problem? |
I'm sorry, I don't. |
As I understand it, the 1.4.1 version in BIRT is one that fixes the CVE in 1.4.0. While it would still be good to switch to Axis, 2.x the linked CVE does not apply. |
This allows WTP's package requirements on org.apache.axis packages to resolve to the packages exported by BIRT's 1.4.1 version of that bundle. eclipse-birt#1424
This allows WTP's package requirements on org.apache.axis packages to resolve to the packages exported by BIRT's 1.4.1 version of that bundle. #1424
My reading of the CVE itself is that all 1.x versions of Axis are affected. Where are you seeing that 1.4.1 fixes this issue? |
It looks like this CVE is fixed with this commit |
The Axis 1.x library has a reported critical vulnerability in it. The 1.4.1 version of Axis is included in Birt 4.9.0 and 4.13.0. This library is EOL and the recommended fix is to switch to a different SOAP library (like Axis 2.x).
The text was updated successfully, but these errors were encountered: