/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CGA-v8cq-7g32-g327

Published

Last updated

https://images.chainguard.dev/security/CGA-v8cq-7g32-g327
Package

wso2is

Repository

Chainguard

Latest Update
Pending upstream fix
Aliases
  • CVE-2025-46392
  • GHSA-pvp8-3xj6-8c6x

Severity

Unknown

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-46392
  • https://github.com/advisories/GHSA-pvp8-3xj6-8c6x

Updates

Status

Pending upstream fix

Impact

This vulnerability affects commons-configuration 1.10, which is included as an OSGi bundle in WSO2 IS. Apache Commons Configuration 1.x branch is no longer receiving security updates as of 2016. Apache recommends upgrading to commons-configuration2 (2.x branch), but this is a breaking change. The vulnerable component is installed at /usr/share/java/wso2is/repository/components/plugins/org.apache.commons.configuration_1.10.0.jar and is part of WSO2's core framework dependencies. Attempts to override this dependency version through Maven dependency management were unsuccessful as it appears to be embedded within WSO2's P2 feature system. Pending fix from upstream WSO2 to migrate to commons-configuration2 or provide security patches for 1.x.

Status

Under investigation

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal