CVE-2024-21742 #39672
Replies: 7 comments 9 replies
-
@Alex-Kidston Hi, I believe Quarkus does not use MIME4J DOM anywhere |
Beta Was this translation helpful? Give feedback.
-
@sberyozkin unfortunately, I can see the apache-mime4j v0.8.9 dependency here: |
Beta Was this translation helpful? Give feedback.
-
@sberyozkin completely understand...yes, mend is pretty unforgiving...if a dependency is mentioned, it's evaluated for CVE's...thanks for investigating! |
Beta Was this translation helpful? Give feedback.
-
Resolved by this PR |
Beta Was this translation helpful? Give feedback.
-
@sberyozkin I hate to say it, but even after pulling in 3.9.1, we're seeing the apache-mime4j-core v0.8.9 as a dependency - here's the gradle scan output:
All of our build.gradle quarkus dpendencies are set to 3.9.1 - is there something we're missing? thanks as ever for your help... |
Beta Was this translation helpful? Give feedback.
-
@sberyozkin issue resolved on our end, whitesource scan is clean - thank you for your help! |
Beta Was this translation helpful? Give feedback.
-
Thanks @Alex-Kidston, and @aloubyansky for recommending the right fix |
Beta Was this translation helpful? Give feedback.
-
Hi - CVE-2024-21742 is outstanding for the apache-mime4j-core dependency to move to v0.8.10 - is there a targeted fix version? thanks in advance...
Beta Was this translation helpful? Give feedback.
All reactions