Updated plexus-utils used in antlr4-maven-plugin manually due to
CVE-2017-1000487.
Change-Id: I69aae162c880707ed087ca06cdf38be373679959
diff --git a/Changes b/Changes
index 22f037d..84e4bed 100644
--- a/Changes
+++ b/Changes
@@ -1,9 +1,11 @@
-0.37 2021-03-04
+0.37 2021-06-24
- [feature] Introduced query references in Poliqarp (diewald)
- [bugfix] Ignore empty corpus queries (diewald)
- [bugfix] Fix handling of apostrophes in multiword and regex
values in virtual corpora (#85; diewald)
- [feature] Added getVersion() and getName() methods (diewald)
+ - [bugfix] Updated plexus-utils used in antlr4-maven-plugin
+ manually due to CVE-2017-1000487 (margaretha)
0.36 2020-07-24
- [security] Upgraded version of Google Guava
diff --git a/pom.xml b/pom.xml
index f77143a..b6e74d5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -69,12 +69,21 @@
<version>${antlr4.version}</version>
<!-- <scope>provided</scope> -->
<exclusions>
+ <!-- incompatible with mock server -->
<exclusion>
<groupId>org.sonatype.sisu</groupId>
<artifactId>sisu-guava</artifactId>
</exclusion>
</exclusions>
- </dependency>
+ </dependency>
+ <!-- adding manually due to Shell Command Injection and Directory Traversal
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487
+ https://cwe.mitre.org/data/definitions/22.html -->
+ <dependency>
+ <groupId>org.codehaus.plexus</groupId>
+ <artifactId>plexus-utils</artifactId>
+ <version>3.3.0</version>
+ </dependency>
<dependency>
<groupId>org.antlr</groupId>
<artifactId>antlr-runtime</artifactId>