-
-
Notifications
You must be signed in to change notification settings - Fork 588
-
-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization Bypass Vulnerability - v1.14.1 #1242
Comments
Hi. Do you know which sources are used by sca.analysiscenter.veracode.com to locate possible vulnerabilities? |
Hi @goetas Thank you for your answer. Indeed, I was also a bit surprised to see such vulnerability because I've never seen this before and I didn't find any further information about it. |
solved in #1246 |
I'm currently using the version 2.4.4 of the bundle https://github.com/schmittjoh/JMSSerializerBundle.
This version requires the following constraint on the jms/serializer dependency: ^1.10 (https://github.com/schmittjoh/JMSSerializerBundle/blob/2.4.4/composer.json#L20) => The exact version of the serializer dependency that is used is 1.14.1.
During software composition analysis scan, using Veracode, the following vulnerability popped up for that version: https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-5185/summary.
Does someone knows more details about this vulnerability? And what kind of updates have been done so the vulnerability seems to be gone since the version 2.0.0?
I'm looking at the possibilities because this will maybe be not that easy to upgrade to the version 2.0.0 since the bundle is used through another dependency (Sylius eCommerce platform, where I'm also looking at this with them to upgrade the version of the bundle used)
Thank you in advance for your inputs & help.
Steps required to reproduce the problem
n/a
Expected Result
n/a
Actual Result
n/a
The text was updated successfully, but these errors were encountered: