dom4j1.1 dependency

[AleksandrNi]

could you please update version of the dependency?
dom4j:dom4j CVE-2020-10683 CRITICAL 1.1

[INFO] - org.codehaus.mojo:versions-maven-plugin:jar:2.13.0:compile
[INFO] +- org.apache.maven.reporting:maven-reporting-api:jar:3.1.1:compile
[INFO] +- org.apache.maven.reporting:maven-reporting-impl:jar:3.2.0:compile
[INFO] | +- org.apache.maven:maven-core:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-model:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-settings:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-settings-builder:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-repository-metadata:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-model-builder:jar:3.1.0:compile
[INFO] | | +- org.apache.maven:maven-aether-provider:jar:3.1.0:compile
[INFO] | | | - org.eclipse.aether:aether-spi:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.aether:aether-impl:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.aether:aether-api:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.aether:aether-util:jar:0.9.0.M2:compile
[INFO] | | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.0.0.M2a:compile
[INFO] | | | +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] | | | | +- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] | | | | - javax.inject:javax.inject:jar:1:compile
[INFO] | | | +- org.sonatype.sisu:sisu-guice:jar:no_aop:3.1.0:compile
[INFO] | | | | - aopalliance:aopalliance:jar:1.0:compile
[INFO] | | | - org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.0.0.M2a:compile
[INFO] | | | - asm:asm:jar:3.3.1:compile
[INFO] | | +- org.codehaus.plexus:plexus-interpolation:jar:1.16:compile
[INFO] | | +- org.codehaus.plexus:plexus-classworlds:jar:2.4.2:compile
[INFO] | | - org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] | | - org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] | +- org.apache.maven:maven-artifact:jar:3.1.0:compile
[INFO] | +- org.apache.maven:maven-plugin-api:jar:3.1.0:compile
[INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:compile
[INFO] | | - commons-io:commons-io:jar:2.6:compile
[INFO] | +- org.apache.maven.doxia:doxia-decoration-model:jar:1.11.1:compile
[INFO] | - org.apache.maven.doxia:doxia-integration-tools:jar:1.11.1:compile
[INFO] +- org.apache.maven.shared:maven-common-artifact-filters:jar:3.3.2:compile
[INFO] +- org.apache.maven.wagon:wagon-file:jar:3.5.2:compile
[INFO] | - org.apache.maven.wagon:wagon-provider-api:jar:3.5.2:compile
[INFO] +- org.apache.maven.doxia:doxia-core:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-logging-api:jar:1.11.1:compile
[INFO] | +- org.codehaus.plexus:plexus-container-default:jar:2.1.0:compile
[INFO] | | +- org.apache.xbean:xbean-reflect:jar:3.7:compile
[INFO] | | - com.google.collections:google-collections:jar:1.0:compile
[INFO] | +- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile
[INFO] | - org.apache.commons:commons-text:jar:1.3:compile
[INFO] +- org.apache.maven.doxia:doxia-sink-api:jar:1.11.1:compile
[INFO] +- org.apache.maven.doxia:doxia-site-renderer:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-skin-model:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-module-xhtml:jar:1.11.1:compile
[INFO] | +- org.apache.maven.doxia:doxia-module-xhtml5:jar:1.11.1:compile
[INFO] | +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-10:compile
[INFO] | +- org.codehaus.plexus:plexus-velocity:jar:1.2:compile
[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | | - commons-lang:commons-lang:jar:2.4:compile
[INFO] | +- org.apache.velocity:velocity-tools:jar:2.0:compile
[INFO] | | +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] | | +- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | +- commons-chain:commons-chain:jar:1.1:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.1:compile
[INFO] | | +- dom4j:dom4j:jar:1.1:compile

[slawekjaranowski]

please provide an example project which show how CVE-2020-10683 can be used to in versions-maven-plugin.

[andrzejj0]

Are you using org.apache.maven.reporting:maven-reporting-impl or org.codehaus.mojo:versions-maven-plugin as a project dependency @AleksandrNi?

[andrzejj0]

Resolved by #877?

[slawekjaranowski]

Not exactly - there is a legacy dependency dom4j:dom4j which does not have fix, fix is in artifact with new cordinate org.dom4j:dom4j
Will be fixed in new doxia

[slawekjaranowski]

Now close as won't fix by versions.

[andrzejj0]

Even so, I don't think how this could possibly be used for an exploit unless somebody used the plugin as a dependency in their project.