0

Regarding the following vulnerability found in the commons-collections library,

https://www.kb.cert.org/vuls/id/576313

I’ve found that the affected version 3.2.1 is pulled into hibernate (3.6.10.18) in the Grails project I am running under 2.5.5. Does this use of the library pose any threat in terms of exposing the vulnerability. Should I be importing the patched version (3.2.2) as a direct dependency to mitigate any chance of exposure?

dre
  • 1,027
  • 1
  • 11
  • 31

1 Answers1

1

The vulnerable class in question (InvokerTransformer) has never been used in the Grails codebase, and I don't see a circumstance where this vulnerability is exploitable in a Grails application.

Nevertheless you can of course upgrade to 3.2.2 just be specifying the dependency in your BuildConfig.groovy or build.gradle file

Graeme Rocher
  • 7,985
  • 2
  • 26
  • 37
  • Thanks @Graeme, seems like I can be comfortable with this dependency without having to patch. I prefer not the override dependencies where possible regardless of how insignificant it may appear to be. – dre Jan 31 '17 at 16:32