ClojureScript has a transitive dependency with a known vulnerability (CVE-2015-5237).

+1 vote

asked Jan 28, 2020 in ClojureScript by Tom 1
edited Jan 28, 2020 by alexmiller

ClojureScript depends on a dated version of com.google.javascript/closure-compiler-unshaded (v20180805), which depends on a version of com.google.protobuf/protobuf-java (3.0.2) with known a vulnerability (CVE-2015-5237).

Logged at https://clojure.atlassian.net/browse/CLJS-3208

problem
jira

Please log in or register to add a comment.

Please log in or register to answer this question.

2 Answers

0 votes

answered Apr 27, 2020 by David Nolen

Best answer

Fixed in ClojureScript >= 1.10.741

Please log in or register to add a comment.

0 votes

answered Jan 28, 2020 by Ghadi Shayban

Sidenote: I'm curious about which scanning software revealed the vulnerability

commented Jan 28, 2020 by Tom 1

https://github.com/rm-hull/lein-nvd

Please log in or register to add a comment.

Welcome to Clojure Q&A, where you can ask questions and receive answers from members of the Clojure community.

ClojureScript has a transitive dependency with a known vulnerability (CVE-2015-5237).

Please log in or register to add a comment.

Please log in or register to answer this question.

2 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Related questions

Categories