0042747: CVE in quartz 2.3.1 - Openbravo Issue Tracking System

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0042747

Openbravo ERP

A. Platform

public

2020-01-08 15:15

2020-01-10 09:15

Reporter

alostale

Assigned To

alostale

Priority

normal

Severity

minor

Reproducibility

have not tried

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

3.0PR20Q1

Fixed in Version

3.0PR20Q1

Merge Request Status

Review Assigned To

caristu

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0042747: CVE in quartz 2.3.1

Description

Current quartz 2.3.1 has a known vulnerability (CVE-2019-13990 [1]).

Even it is not exploitable for Openbravo as it only affects in case jobs are defined as xml files, we should get updated to the latest version.

[1] https://nvd.nist.gov/vuln/detail/2019-13990 [^]

Steps To Reproduce

Not exploitable for Openbravo (see description).

Proposed Solution

Update to current latest version 2.3.2 which solves the issue [1].

[1] https://github.com/quartz-scheduler/quartz/issues/467 [^]

Additional Information