Unresolved
Details
Assignee
UnassignedUnassignedReporter
DenisDenisPriority
TBDRCA Group
TBDLabels
TestRail: Cases
Open TestRail: CasesTestRail: Runs
Open TestRail: Runs
Details
Details
Assignee
Unassigned
UnassignedReporter
Denis
Denis
Priority
TBDRCA Group
TBD
Labels
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created October 28, 2024 at 1:27 PM
Updated March 9, 2025 at 12:44 PM
Severity: HIGH
Link:
Package Name: commons-io_commons-io
Current version: 2.11.0 / fixed in 2.14.0
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The
org.apache.commons.io.input.XmlStreamReaderclass may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.commons-io fixed this regular expression denial of service (ReDoS) vulnerability with two commits:
https://github.com/apache/commons-io/commit/3c9d7bc18c1c0a4bd2524003c8c1db1c9eb112c2
https://github.com/apache/commons-io/commit/06fde31494c279ad940149e1a3d4944040c73c0d
Modules impacted:
mod-data-import
Folijet
3.1.1
commons-io 2.15.1
mod-tags
Volaris
2.2.0
only folio-spring-base
mod-notes
Spitfire
5.2.0
only folio-spring-base
mod-quick-marc
Spitfire
5.1.1
only folio-spring-base
mod-inventory
Folijet
20.2.7
only domain-models-runtime and data-import-processing-core
mod-circulation
Vega
24.2.5
only mod-pubsub-client and domain-models-runtime
mod-feesfines
Vega
19.1.0
only domain-models-runtime
mod-data-export
Firebird
5.0.4
only folio-spring-base, folio-s3-client, generate-marc-utils
mod-data-export-spring
Firebird
3.2.2
only folio-spring-base
mod-data-export-worker
Firebird
3.2.4
only folio-spring-base, minio, sshd-spring-sftp
mod-bulk-operations
Firebird
2.0.2
only folio-spring-base, folio-s3-client
mod-remote-storage
Volaris
3.2.0
only folio-spring-base, mod-pubsub-client
mod-calendar
Bama
3.1.0
only folio-spring-base
mod-agreements
Bienenvolk (fka ERM)
7.0.8
tbd
mod-licenses
Bienenvolk (fka ERM)
6.0.3
tbd
mod-kb-ebsco-java
Spitfire
4.0.0
only domain-models-runtime
mod-service-interaction
K-Int
4.0.2
tbd
mod-ebsconet
Thunderjet
2.2.0
only folio-spring-base, spring-cloud-starter-openfeign
mod-fqm-manager
Corsair
2.0.5
only folio-spring-base
mod-serials-management
K-Int
1.0.3
tbd
edge-dematic
Volaris
2.2.4
only folio-spring-base
edge-caiasoft
Volaris
2.2.4
only edge-common-spring
edge-fqm
Corsair
2.0.2
only folio-spring-base
mod-consortia-keycloak
Eureka
1.4.5
only folio-spring-base
mod-dcb
Volaris
1.1.1
only folio-spring-base
mod-circulation-item
Volaris
1.0.0
only folio-spring-base
edge-dcb
Volaris
1.1.3
only folio-spring-base
Modules that directly use the vulnerable
org.apache.commons.io.input.XmlStreamReader: https://github.com/search?q=org%3Afolio-org+org.apache.commons.io.input.XmlStreamReader&type=codenone!
Modules that directly use the different non-vulnerable
javax.xml.stream.XMLStreamReader: https://github.com/search?q=org%3Afolio-org%20XmlStreamReader&type=codemod-reservoir - not vulnerable
mod-shared-index - not vulnerable
mod-meta-storage - not vulnerable
How to list the commons-io dependencies:
For Ramson folio-spring-base 8.2.0 uses a fixed commons-io version 2.16.1:
For Quesnelia folio-spring-base 8.1.2 uses a vulnerable commons-io version 2.11.0:
spring-cloud-* – doesn’t directly use
XmlStreamReader: https://github.com/search?q=org%3Aspring-cloud%20XmlStreamReader&type=codecommons-fileupload – doesn’t directly use
XmlStreamReader: https://github.com/search?q=repo%3Aapache%2Fcommons-fileupload%20XmlStreamReader&type=codeopenapi-generator – doesn’t directly use
XmlStreamReader: https://github.com/search?q=org%3AOpenAPITools+XmlStreamReader&type=codeswagger-* – doesn’t directly use
XmlStreamReader: https://github.com/search?q=org%3AAPIDevTools%20XmlStreamReader&type=codeTherefore all Quesnelia modules that don’t have other dependencies that use commons-io are not vulnerable.
Module
Dependencies with commons-io
commons-compress
https://github.com/search?q=repo%3Aapache%2Fcommons-compress%20XmlStreamReader&type=code , not vulnerable
domain-models-runtime
only commons-compress, not vulnerable
data-import-processing-core
none, not vulnerable
edge-common-spring
only folio-spring-base, not vulnerable
folio-s3-client
only minio, not vulnerable
folio-spring-base
see above, not vulnerable
generate-marc-utils
none, not vulnerable
minio
https://github.com/search?q=org%3Aminio%20XmlStreamReader&type=code , only commons-compress, not vulnerable
mod-pubsub-client
only domain-models-runtime, not vulnerable
spring-cloud-starter-openfeign
see above, not vulnerable
spring-integration-file
https://github.com/search?q=repo%3Aspring-projects%2Fspring-integration%20XmlStreamReader&type=code , none, not vulnerable
sshd-spring-sftp
https://github.com/search?q=repo%3Aapache%2Fmina-sshd%20XmlStreamReader&type=code , only spring-integration-file, not vulnerable