/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CGA-v8cq-7g32-g327

Published

Last updated

https://images.chainguard.dev/security/CGA-v8cq-7g32-g327
Package

wso2is

Repository

Chainguard

Latest Update
Pending upstream fix
Aliases
  • CVE-2025-46392
  • GHSA-pvp8-3xj6-8c6x

Severity

Unknown

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-46392

Updates

Status

Pending upstream fix

Impact

This vulnerability affects commons-configuration 1.10, which is included as an OSGi bundle in WSO2 IS. Apache Commons Configuration 1.x branch is no longer receiving security updates as of 2016. Apache recommends upgrading to commons-configuration2 (2.x branch), but this is a breaking change. The vulnerable component is installed at /usr/share/java/wso2is/repository/components/plugins/org.apache.commons.configuration_1.10.0.jar and is part of WSO2's core framework dependencies. Attempts to override this dependency version through Maven dependency management were unsuccessful as it appears to be embedded within WSO2's P2 feature system. Pending fix from upstream WSO2 to migrate to commons-configuration2 or provide security patches for 1.x.

Status

Under investigation


Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing