fix(security): Upgrade vulnerable dependencies flagged by OWASP Dependency Check #35235
Description
Summary
OWASP Dependency Check has flagged several vulnerable library versions in dotCMS. This issue tracks the required upgrades and suppressions for CVEs that are non-applicable due to how dotCMS uses those libraries.
Background
A customer security review identified the following vulnerable JARs. After investigation, they fall into three categories:
- Requires upgrade — genuine exposure in dotCMS's usage
- False positive / non-applicable — CVE applies to a different component or usage pattern not present in dotCMS
- Low risk, upgrade recommended — theoretically exploitable but requires conditions not present in standard deployments
Action Required: Upgrade Dependencies
High Priority
commons-beanutils 1.9.4 → 1.11.0
- CVE-2025-48734 (CVSS 8.8 HIGH): Unsafe reflection via
PropertyUtilsBean.getProperty()— if user-controlled input reaches this call on anenumclass, it can enable RCE via the class loader. - Action: Upgrade to
commons-beanutils 1.11.0inbom/application/pom.xml. Also audit call sites whereBeanUtils.getProperty()/PropertyUtils.getProperty()are invoked to verify no untrusted user input reaches these methods.
dot.commons-io-2.0.1_2.jar + commons-io 2.11.0 → 2.14.0
- CVE-2024-47554 (CVSS 4.3 MEDIUM):
XmlStreamReaderexhausts CPU on maliciously crafted XML input. Affects commons-io 2.0–2.13.x. dotCMS accepts user-uploaded XML content, making this a valid exposure. - Action: Upgrade standard
commons-ioto2.14.0inbom/application/pom.xml. Repackagedot.commons-ioagainst commons-io 2.14.0+.
Medium Priority
guava-27.0.1-android.jar → 32.0.1-jre
- CVE-2023-2976 (CVSS 7.1):
FileBackedOutputStreamuses a world-readable temp directory on Unix. - CVE-2020-8908 (CVSS 3.3):
Files.createTempDir()creates world-writable temp dirs on Unix. - Action: Upgrade to
guava 32.0.1-jreinbom/application/pom.xml. Note: the-androidvariant is unusual for a server JVM — switch to-jrevariant.
bcprov-jdk15on-1.70.jar → 1.73
- CVE-2023-33202 (CVSS 5.5):
PEMParserthrows OOM on crafted ASN.1 input. - Action: Upgrade
bouncy-castle.versionproperty to1.73inbom/application/pom.xml.
commons-lang3-3.12.0.jar → 3.18.0
- CVE-2025-48924 (CVSS 5.3):
ClassUtils.getClass()throwsStackOverflowErroron very long strings. - Action: Upgrade to
commons-lang3 3.18.0inbom/application/pom.xml.
Action Required: Add OWASP Suppressions
The following CVEs are not applicable to dotCMS's usage and should be suppressed in owasp-suppressions.xml to reduce noise in future scans.
Elasticsearch CVEs (16 total) — Server-side only
dotCMS uses elasticsearch-rest-high-level-client as a client JAR only. All 16 flagged CVEs are vulnerabilities in the Elasticsearch server process (node memory, ingest pipelines, audit logging, PKI realm, etc.) — not in the client library code.
CVEs to suppress: CVE-2021-22134, CVE-2021-22144, CVE-2021-22145, CVE-2023-31417, CVE-2023-31418, CVE-2023-31419, CVE-2023-46673, CVE-2023-46674 (affects elasticsearch-hadoop connector, not present in dotCMS), CVE-2023-49921, CVE-2024-23444, CVE-2024-23450, CVE-2024-52979, CVE-2025-37727, CVE-2025-37731, CVE-2025-68384, CVE-2025-68390
Note for customers: If running their own Elasticsearch 7.10.2 cluster, they should upgrade the cluster itself to 7.17.25+ independently of dotCMS.
Struts CVEs — Struts 2 misattribution / non-applicable XStream
dot.struts-1.2.10_1.jar is a custom-repackaged Struts 1.x library. Three of the five reported CVEs are Struts 2 vulnerabilities; Dependency Check is flagging them incorrectly due to JAR name pattern matching.
- CVE-2012-0391 (CVSS 8.8): Struts 2 OGNL RCE — Struts 1.x has no OGNL parameter handling. False positive.
- CVE-2023-34396 (CVSS 7.5): Struts 2 multipart DoS. False positive.
- CVE-2023-34149 (CVSS 7.5): Struts 2 DoS. False positive.
- CVE-2020-26258 (CVSS 7.7): XStream SSRF — Struts is used in dotCMS for legacy JSP/Tiles rendering only, not XStream deserialization. Not exploitable.
- CVE-2020-26259 (CVSS 7.5): XStream file deletion — additionally requires Java < 15; dotCMS runs Java 11+/17+. Not exploitable.
Note: Legacy Struts 1.x usage in dotCMS is actively being phased out. No Struts 1.x-specific CVEs affect the functionality used.
Files to Modify
bom/application/pom.xml— version bumps for all library upgradesowasp-suppressions.xml— add suppressions for non-applicable CVEs
References
- Reporter: Customer security review (Paul Wootton) via support portal, 2026-04-07
- CVE details sourced from NVD (nvd.nist.gov) and vendor advisories