Bug #12753
opencommons-upload 1.3.3 has known vulnerabilities
0%
Description
JWt includes and depends on commons-fileupload 1.3.3 in its Maven POM file. This is marked as having known vulnerabilities CVE-2016-1000031, CVE-2023-24998. Both are to my knowledge not applicable to JWt. Still, Maven dependency analysis software marks JWt as vulnerable because of transitive dependencies with known vulnerabilities.
This library is only used for the check isMultipartContent(). This method checks whether the request is a POST where the Content-Type starts with multipart/.
Does this usage warrant the inclusion of the entire commons-fileupload? Can we either upgrade the dependency, or remove it by implementing this method ourselves?
Updated by Raf Pauwels 3 months ago
Raf Pauwels wrote:
This library is only used for the check
isMultipartContent().
Not sure why I thought that, but this is not true. So the best option would be to upgrade, IMO.