By using httpclient@4.5.13, that library is importing commons-logging/commons-logging@1.2 which then has a very old version of log4j in use, with several critical vulnerabilities. The current one that is being raised by our SBOM scanning is https://www.cve.org/CVERecord?id=CVE-2020-9493
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
The lastest httpclient4 version seems to be 4.5.14, which doesn't address the commons-logging library version, but you can maybe try upgrading to httpclient5 https://mvnrepository.com/artifact/org.apache.httpcomponents.client5/httpclient5
NOTE: these log4j vulnerabilities are classified as Critical, which for PCI compliance has a 30 day expected resolution. As a payment provider I hope that this might help escalate the attention of this issue 🤞
By using
httpclient@4.5.13, that library is importingcommons-logging/commons-logging@1.2which then has a very old version of log4j in use, with several critical vulnerabilities. The current one that is being raised by our SBOM scanning is https://www.cve.org/CVERecord?id=CVE-2020-9493The lastest
httpclient4version seems to be 4.5.14, which doesn't address the commons-logging library version, but you can maybe try upgrading tohttpclient5https://mvnrepository.com/artifact/org.apache.httpcomponents.client5/httpclient5NOTE: these log4j vulnerabilities are classified as Critical, which for PCI compliance has a 30 day expected resolution. As a payment provider I hope that this might help escalate the attention of this issue 🤞