Eureka client using vulnerable version of apache commons-configuration.

[Gautham-JS]

Hey, one of our internal security scans reported Apache commons-configuration version 1.10 used in eureka client library, this version has the following vulnerabilities : CVE-2024-29133, BDSA-2024-0705.

Any particular reason we are not considering an upgrade for this dependency?

[Gautham-JS]

Closing since on further internal analysis, the vulnerability is only applicable for versions 2.0 -> 2.10

[eddboyer]

@Gautham-JS It looks like this vulnerability was actually brought in from commons-configuration:commons-configuration:1.0-rc1 . The recommendation is currently to upgrade to the 2.10.1 version.

[Vendor] team discovered that [CVE-2024-29133] was actually introduced in version 1.0-rc1 of the commons-configuration package instead of the version 2.0.0 of the commons-configuration2 package as stated in the advisory.

ESAPI/esapi-java-legacy#843

I have raised this as a new issue: #1556