Eureka client using version of apache commons-configuration vulnerable to CVE-2024-29131 and CVE-2024-29133

The Eureka client library is using `commons-configuration:commons-configuration:1.10` which is vulnerable to the following CVEs:

- [CVE-2024-29131](https://github.com/advisories/GHSA-xjp4-hw94-mvp5) - moderate 6.5
- [CVE-2024-29133](https://github.com/advisories/GHSA-9w38-p64v-xpmv) - moderate 6.5

Both of these vulnerabilities were initially reported as only affecting `org.apache.commons:commons-configuration2` however they're now getting flagged against `commons-configuration:commons-configuration:1.10` also. There is some explanation here: https://github.com/ESAPI/esapi-java-legacy/discussions/843

> [Vendor] team discovered that [CVE-2024-29131] was also introduced in version 1.8 of the predecessor package commons-configuration instead of only affecting versions from 2.0 before 2.10.1 as stated in the advisory.
> 
> [Vendor] team discovered that [CVE-2024-29133] was actually introduced in version 1.0-rc1 of the commons-configuration package instead of the version 2.0.0 of the commons-configuration2 package as stated in the advisory.

The current recommendation is to upgrade to  `org.apache.commons:commons-configuration2:2.10.1`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Eureka client using version of apache commons-configuration vulnerable to CVE-2024-29131 and CVE-2024-29133 #1556

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development