Description
The Eureka client library is using commons-configuration:commons-configuration:1.10 which is vulnerable to the following CVEs:
- CVE-2024-29131 - moderate 6.5
- CVE-2024-29133 - moderate 6.5
Both of these vulnerabilities were initially reported as only affecting org.apache.commons:commons-configuration2 however they're now getting flagged against commons-configuration:commons-configuration:1.10 also. There is some explanation here: ESAPI/esapi-java-legacy#843
[Vendor] team discovered that [CVE-2024-29131] was also introduced in version 1.8 of the predecessor package commons-configuration instead of only affecting versions from 2.0 before 2.10.1 as stated in the advisory.
[Vendor] team discovered that [CVE-2024-29133] was actually introduced in version 1.0-rc1 of the commons-configuration package instead of the version 2.0.0 of the commons-configuration2 package as stated in the advisory.
The current recommendation is to upgrade to org.apache.commons:commons-configuration2:2.10.1
Activity