0042747: CVE in quartz 2.3.1

Description

Current quartz 2.3.1 has a known vulnerability (CVE-2019-13990 [1]).

Even it is not exploitable for Openbravo as it only affects in case jobs are defined as xml files, we should get updated to the latest version.

[1] https://nvd.nist.gov/vuln/detail/2019-13990 [^]

Steps To Reproduce

Not exploitable for Openbravo (see description).

Proposed Solution

Update to current latest version 2.3.2 which solves the issue [1].

[1] https://github.com/quartz-scheduler/quartz/issues/467 [^]

Tags

No tags attached.

Attached Files

Relationships [ Relation Graph ] [ Dependency Graph ]

blocks

defect

0042746

closed

alostale

CVE in quartz 2.3.1

Notes
(0116754) hgbot (developer) 2020-01-10 09:02	Repository: erp/backports/3.0PR20Q1 Changeset: 223d941a1d73e88d9df300791d5dffb083661b79 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Wed Jan 08 15:20:48 2020 +0100 URL: http://code.openbravo.com/erp/backports/3.0PR20Q1/rev/223d941a1d73e88d9df300791d5dffb083661b79 [^] fixed BUG-42747: CVE in quartz 2.3.1 Updated quartz to 2.3.2 to solve reported CVE. --- M legal/Licensing.txt A lib/runtime/quartz-2.3.2.jar R lib/runtime/quartz-2.3.1.jar ---

(0116756) caristu (developer) 2020-01-10 09:15	Reviewed

Issue History
Date Modified	Username	Field	Change
2020-01-08 15:33	alostale	Type	defect => backport
2020-01-08 15:33	alostale	Target Version	=> 3.0PR20Q1
2020-01-08 15:33	alostale	Assigned To	platform => alostale
2020-01-10 09:02	hgbot	Checkin
2020-01-10 09:02	hgbot	Note Added: 0116754
2020-01-10 09:02	hgbot	Status	scheduled => resolved
2020-01-10 09:02	hgbot	Resolution	open => fixed
2020-01-10 09:02	hgbot	Fixed in SCM revision	=> http://code.openbravo.com/erp/backports/3.0PR20Q1/rev/223d941a1d73e88d9df300791d5dffb083661b79 [^]
2020-01-10 09:15	caristu	Note Added: 0116756
2020-01-10 09:15	caristu	Status	resolved => closed
2020-01-10 09:15	caristu	Fixed in Version	=> 3.0PR20Q1