Very high vulnerability in 1.7.9 #474
Labels
Comments
|
The rhino shell (which is what you get when you run "java -jar" on the
Rhino JAR) has a bunch of commands including one that lets you execute a
shell command. That's by design. People who are running Rhino on sensitive
environments should not be using that part of Rhino. If anyone has any idea
how to update the packaging or README to keep people from running into this
it'd be a great contribution.
…On Wed, Aug 22, 2018 at 5:49 AM AlexanderNikitin-Smartbear < ***@***.***> wrote:
Hi,
we've scanned the library with Veracode, and it found a very high
vulnerability. The report is attached.
rhino.pdf <https://github.com/mozilla/rhino/files/2310329/rhino.pdf>
Regards,
Alexander Nikitin
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#474>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAf0a78RLLHsUGi-lIHzQ4gcn57jPNLQks5uTVNbgaJpZM4WHl7s>
.
|
|
Move the shell-classes into a separate artefact depending on the core classes? A change to README doesn't keep anyone from running a main class part of the artefact. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
we've scanned the library with Veracode, and it found a very high vulnerability. The report is attached.
rhino.pdf
Regards,
Alexander Nikitin
The text was updated successfully, but these errors were encountered: