Critical vulnerability found in nested dependency #184
Description
By using [email protected], that library is importing commons-logging/[email protected] which then has a very old version of log4j in use, with several critical vulnerabilities. The current one that is being raised by our SBOM scanning is https://www.cve.org/CVERecord?id=CVE-2020-9493
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
The lastest httpclient4 version seems to be 4.5.14, which doesn't address the commons-logging library version, but you can maybe try upgrading to httpclient5 https://mvnrepository.com/artifact/org.apache.httpcomponents.client5/httpclient5
NOTE: these log4j vulnerabilities are classified as Critical, which for PCI compliance has a 30 day expected resolution. As a payment provider I hope that this might help escalate the attention of this issue 🤞