wso2is
Chainguard
Status
Impact
This vulnerability affects commons-configuration 1.10, which is included as an OSGi bundle in WSO2 IS. Apache Commons Configuration 1.x branch is no longer receiving security updates as of 2016. Apache recommends upgrading to commons-configuration2 (2.x branch), but this is a breaking change. The vulnerable component is installed at /usr/share/java/wso2is/repository/components/plugins/org.apache.commons.configuration_1.10.0.jar and is part of WSO2's core framework dependencies. Attempts to override this dependency version through Maven dependency management were unsuccessful as it appears to be embedded within WSO2's P2 feature system. Pending fix from upstream WSO2 to migrate to commons-configuration2 or provide security patches for 1.x.
Status