Transitive Dependency Vulnerability - Dom4J 1.6.1

[alivianmuir]

Dom4J 1.6.1 is a transitive dependency of the version plugin and vulnerable to the following:

• CVE-2020-10683
• CVE-2018-1000632

Versions Maven Plugin – Project Dependencies
org.codehaus.mojo:versions-maven-plugin:maven-plugin:2.16.2

• org.apache.maven.doxia:doxia-site-renderer:jar:1.11.1

  • org.apache.velocity:velocity-tools:jar:2.0

    • dom4j:dom4j:jar:1.6.1

Please upgrade dependency Dom4J 1.6.1 to Dom4J 2.1.3 or higher as the only vulnerability affecting it has been officially withdrawn by the NVD:

• https://mvnrepository.com/artifact/org.dom4j/dom4j/2.1.3
• https://nvd.nist.gov/vuln/detail/CVE-2023-45960

[slawekjaranowski]

please see: #946

[alivianmuir]

@slawekjaranowski Thank you. We will pursue this mitigation technique as an alternative for now. Are there plans for future releases to upgrade the Dom4J package to a non-vulnerable version?

[slawekjaranowski]

Please read:

• https://lists.apache.org/thread/l778r6cwj604hxhjlqs8kt58nngcd602
• https://cwiki.apache.org/confluence/display/MAVEN/Towards+Doxia+2.0.0+Stack

[slawekjaranowski]

will be resolved by #1168