Org.apache.commons_commons-text vulnerability

A critical vulnerability has been released in the org.apache.commons_commons-text library with the name CVE-2022-42889. Could you check and fix it please ?

We don’t use this library.

We found usage when we check dependency tree

[INFO] Scanning for projects…

[INFO] --------------< com.graphhopper:directions-api-client-hc >--------------
[INFO] Building GraphHopper Directions API hand-crafted Java Client. 7.0-SNAPSHOT [7/11]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.8:tree (default-cli) @ directions-api-client-hc —
[INFO] com.graphhopper:directions-api-client-hc:jar:7.0-SNAPSHOT
[INFO] ± com.graphhopper:graphhopper-web-api:jar:7.0-SNAPSHOT:compile

[INFO] ± io.dropwizard:dropwizard-testing:jar:2.0.21:test
[INFO] | ± io.dropwizard:dropwizard-configuration:jar:2.0.21:test
[INFO] | | ± com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.10.5:test
[INFO] | | | - org.yaml:snakeyaml:jar:1.26:test
[INFO] | | ± com.github.ben-manes.caffeine:caffeine:jar:2.9.0:test
[INFO] | | | ± org.checkerframework:checker-qual:jar:3.12.0:test
[INFO] | | | - com.google.errorprone:error_prone_annotations:jar:2.6.0:test
[INFO] | | - org.apache.commons:commons-text:jar:1.9:test

[INFO] ---------------< com.graphhopper:graphhopper-web-bundle >---------------
[INFO] Building GraphHopper Dropwizard Bundle 7.0-SNAPSHOT [8/11]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.8:tree (default-cli) @ graphhopper-web-bundle —
[INFO] com.graphhopper:graphhopper-web-bundle:jar:7.0-SNAPSHOT
[INFO] ± com.graphhopper:graphhopper-web-api:jar:7.0-SNAPSHOT:compile

[INFO] ± io.dropwizard:dropwizard-core:jar:2.0.21:compile
[INFO] | ± io.dropwizard:dropwizard-util:jar:2.0.21:compile
[INFO] | ± io.dropwizard:dropwizard-jackson:jar:2.0.21:compile
[INFO] | | ± com.github.ben-manes.caffeine:caffeine:jar:2.9.0:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.10.5:compile
[INFO] | | - com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.5:compile
[INFO] | ± io.dropwizard:dropwizard-validation:jar:2.0.21:compile
[INFO] | | ± com.fasterxml:classmate:jar:1.5.1:compile
[INFO] | | - org.glassfish:jakarta.el:jar:3.0.3:compile
[INFO] | ± io.dropwizard:dropwizard-configuration:jar:2.0.21:compile
[INFO] | | ± com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.10.5:compile
[INFO] | | | - org.yaml:snakeyaml:jar:1.26:compile
[INFO] | | - org.apache.commons:commons-text:jar:1.9:compile

[INFO] ------------------< com.graphhopper:graphhopper-nav >-------------------
[INFO] Building GraphHopper Navigation 7.0-SNAPSHOT [9/11]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.8:tree (default-cli) @ graphhopper-nav —
[INFO] com.graphhopper:graphhopper-nav:jar:7.0-SNAPSHOT
[INFO] ± com.graphhopper:graphhopper-web-api:jar:7.0-SNAPSHOT:compile

[INFO] ± io.dropwizard:dropwizard-core:jar:2.0.21:compile
[INFO] | ± io.dropwizard:dropwizard-util:jar:2.0.21:compile
[INFO] | | - com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | | ± com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | ± com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | ± org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | | ± com.google.errorprone:error_prone_annotations:jar:2.6.0:compile
[INFO] | | - com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | ± io.dropwizard:dropwizard-jackson:jar:2.0.21:compile
[INFO] | | ± com.github.ben-manes.caffeine:caffeine:jar:2.9.0:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.10.5:compile
[INFO] | | - com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.5:compile
[INFO] | ± io.dropwizard:dropwizard-validation:jar:2.0.21:compile
[INFO] | | ± com.fasterxml:classmate:jar:1.5.1:compile
[INFO] | | - org.glassfish:jakarta.el:jar:3.0.3:compile
[INFO] | ± io.dropwizard:dropwizard-configuration:jar:2.0.21:compile
[INFO] | | ± com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.10.5:compile
[INFO] | | | - org.yaml:snakeyaml:jar:1.26:compile
[INFO] | | - org.apache.commons:commons-text:jar:1.9:compile

[INFO] ------------------< com.graphhopper:graphhopper-web >-------------------
[INFO] Building GraphHopper Web 7.0-SNAPSHOT [10/11]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.8:tree (default-cli) @ graphhopper-web —
[INFO] com.graphhopper:graphhopper-web:jar:7.0-SNAPSHOT
[INFO] ± io.dropwizard:dropwizard-core:jar:2.0.21:compile
[INFO] | ± io.dropwizard:dropwizard-util:jar:2.0.21:compile
[INFO] | ± io.dropwizard:dropwizard-jackson:jar:2.0.21:compile
[INFO] | | ± com.github.ben-manes.caffeine:caffeine:jar:2.9.0:compile
[INFO] | | ± com.fasterxml.jackson.core:jackson-core:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.10.5:compile
[INFO] | | ± com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.10.5:compile
[INFO] | | - com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.10.5:compile
[INFO] | ± io.dropwizard:dropwizard-validation:jar:2.0.21:compile
[INFO] | | ± com.fasterxml:classmate:jar:1.5.1:compile
[INFO] | | - org.glassfish:jakarta.el:jar:3.0.3:compile
[INFO] | ± io.dropwizard:dropwizard-configuration:jar:2.0.21:compile
[INFO] | | ± com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.10.5:compile
[INFO] | | | - org.yaml:snakeyaml:jar:1.26:compile
[INFO] | | - org.apache.commons:commons-text:jar:1.9:compile

Apparently this was fixed for dropwizard 2.0.34: Release v2.0.34 · dropwizard/dropwizard · GitHub

Let’s see if we can upgrade without problems: GitHub - graphhopper/graphhopper at upgrade_to_dropwizard2.0.32

I just released version 6.2 where this should be fixed

2 Likes

Thank you easbar :pray: When can it be released?

It is already on Maven central or what are you looking for?

Powered by Discourse