Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-45205 (GCVE-0-2026-45205)
Vulnerability from cvelistv5 – Published: 2026-05-14 11:22 – Updated: 2026-05-14 20:31
VLAI
EPSS
Title
Apache Commons Configuration: StackOverflowError for YAML input with cycles
Summary
Uncontrolled Recursion vulnerability in Apache Commons.
When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.
Users are recommended to upgrade to version 2.15.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Commons Configuration |
Affected:
2.2 , < 2.15.0
(semver)
|
Credits
Erichen, Institute of Computing Technology, Chinese Academy of Sciences
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:27:15.775461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:27:20.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-14T20:31:47.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.commons:commons-configuration2",
"product": "Apache Commons Configuration",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.15.0",
"status": "affected",
"version": "2.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Erichen, Institute of Computing Technology, Chinese Academy of Sciences"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons.\u003c/p\u003eWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Commons: from 2.2 before 2.15.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.15.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T11:22:43.908Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/commons-configuration/pull/634"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Commons Configuration: StackOverflowError for YAML input with cycles",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-45205",
"datePublished": "2026-05-14T11:22:43.908Z",
"dateReserved": "2026-05-11T13:16:23.243Z",
"dateUpdated": "2026-05-14T20:31:47.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-45205",
"date": "2026-06-12",
"epss": "0.00129",
"percentile": "0.32041"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-45205\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-05-14T12:16:35.687\",\"lastModified\":\"2026-05-15T18:40:16.007\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Recursion vulnerability in Apache Commons.\\n\\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\\n\\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2\",\"versionEndExcluding\":\"2.15.0\",\"matchCriteriaId\":\"A0F44897-8ACE-43B1-BC15-D18A745B7A82\"}]}]}],\"references\":[{\"url\":\"https://github.com/apache/commons-configuration/pull/634\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/05/14/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/05/14/5\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-05-14T20:31:47.159Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45205\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T15:27:15.775461Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-14T15:27:02.183Z\"}}], \"cna\": {\"title\": \"Apache Commons Configuration: StackOverflowError for YAML input with cycles\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Erichen, Institute of Computing Technology, Chinese Academy of Sciences\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons Configuration\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.2\", \"lessThan\": \"2.15.0\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.commons:commons-configuration2\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/apache/commons-configuration/pull/634\", \"tags\": [\"patch\"]}, {\"url\": \"https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Recursion vulnerability in Apache Commons.\\n\\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\\n\\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons.\u003c/p\u003eWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Commons: from 2.2 before 2.15.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.15.0, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674 Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-05-14T11:22:43.908Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-45205\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-14T20:31:47.159Z\", \"dateReserved\": \"2026-05-11T13:16:23.243Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-05-14T11:22:43.908Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-45205
Vulnerability from fkie_nvd - Published: 2026-05-14 12:16 - Updated: 2026-05-15 18:40
Severity
Summary
Uncontrolled Recursion vulnerability in Apache Commons.
When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.
Users are recommended to upgrade to version 2.15.0, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://github.com/apache/commons-configuration/pull/634 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2026/05/14/5 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_configuration | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F44897-8ACE-43B1-BC15-D18A745B7A82",
"versionEndExcluding": "2.15.0",
"versionStartIncluding": "2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue."
}
],
"id": "CVE-2026-45205",
"lastModified": "2026-05-15T18:40:16.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2026-05-14T12:16:35.687",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/apache/commons-configuration/pull/634"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/5"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
GHSA-337M-MW94-2V6G
Vulnerability from github – Published: 2026-05-14 12:30 – Updated: 2026-05-20 15:36
VLAI
Summary
Apache Commons Configuration: StackOverflowError for YAML input with cycles
Details
Uncontrolled Recursion vulnerability in Apache Commons.
When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0.
Users are recommended to upgrade to version 2.15.0, which fixes the issue.
Severity
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-configuration2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "2.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45205"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-20T15:36:43Z",
"nvd_published_at": "2026-05-14T12:16:35Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.",
"id": "GHSA-337m-mw94-2v6g",
"modified": "2026-05-20T15:36:43Z",
"published": "2026-05-14T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45205"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-configuration/pull/634"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-configuration"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Apache Commons Configuration: StackOverflowError for YAML input with cycles"
}
OPENSUSE-SU-2026:10784-1
Vulnerability from csaf_opensuse - Published: 2026-05-16 00:00 - Updated: 2026-05-16 00:00Summary
apache-commons-configuration2-2.15.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: apache-commons-configuration2-2.15.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the apache-commons-configuration2-2.15.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10784
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.7 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apache-commons-configuration2-2.15.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apache-commons-configuration2-2.15.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10784",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10784-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45205 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45205/"
}
],
"title": "apache-commons-configuration2-2.15.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-16T00:00:00Z",
"generator": {
"date": "2026-05-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10784-1",
"initial_release_date": "2026-05-16T00:00:00Z",
"revision_history": [
{
"date": "2026-05-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-configuration2-2.15.0-1.1.aarch64",
"product": {
"name": "apache-commons-configuration2-2.15.0-1.1.aarch64",
"product_id": "apache-commons-configuration2-2.15.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"product": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"product_id": "apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-configuration2-2.15.0-1.1.ppc64le",
"product": {
"name": "apache-commons-configuration2-2.15.0-1.1.ppc64le",
"product_id": "apache-commons-configuration2-2.15.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"product": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"product_id": "apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-configuration2-2.15.0-1.1.s390x",
"product": {
"name": "apache-commons-configuration2-2.15.0-1.1.s390x",
"product_id": "apache-commons-configuration2-2.15.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"product": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"product_id": "apache-commons-configuration2-javadoc-2.15.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-configuration2-2.15.0-1.1.x86_64",
"product": {
"name": "apache-commons-configuration2-2.15.0-1.1.x86_64",
"product_id": "apache-commons-configuration2-2.15.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64",
"product": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64",
"product_id": "apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64"
},
"product_reference": "apache-commons-configuration2-2.15.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le"
},
"product_reference": "apache-commons-configuration2-2.15.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x"
},
"product_reference": "apache-commons-configuration2-2.15.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64"
},
"product_reference": "apache-commons-configuration2-2.15.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2026-45205",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45205"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45205",
"url": "https://www.suse.com/security/cve/CVE-2026-45205"
},
{
"category": "external",
"summary": "SUSE Bug 1265299 for CVE-2026-45205",
"url": "https://bugzilla.suse.com/1265299"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-2.15.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.15.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-45205"
}
]
}
SUSE-SU-2026:21996-1
Vulnerability from csaf_suse - Published: 2026-05-29 08:47 - Updated: 2026-05-29 08:47Summary
Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
Severity
Important
Notes
Title of the patch: Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
Description of the patch: This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues:
Changes in apache-commons-lang3:
Update to 3.20.0
* New features:
+ Add SystemProperties.getPath(String, Supplier<Path>)
+ Add JavaVersion.JAVA_25
+ Add JavaVersion.JAVA_26
+ Add SystemUtils.IS_JAVA_25
+ Add SystemUtils.IS_JAVA_26
+ Add MutablePair.ofNonNull(Map.Entry)
+ Add TimedSemaphore.builder(), Builder, and deprecate
constructors
+ LANG-1504: Adding labels and history to split StopWatch
* Fixed Bugs:
+ Optimize ObjectToStringComparator.compare() method
+ [javadoc] Improve StringUtils Javadoc
+ Fix internal inverted logic in private isEnum() method and
correct its usage in getFirstEnum()
+ Use accessors in ToStringStyle so subclasses can effectively
override them
+ 'LocaleUtils.toLocale(String)' for a 2 letter country code
now returns a value instead of throwing an
'IllegalArgumentException'
+ Fix typo in StringUtils.trunctate() IllegalArgumentException
message and test assertion messages
+ Fix test fixture in
ReflectionDiffBuilderTest.testTransientFieldDifference()
+ LANG-1789: NullPointerException when generating
NoSuchMethodException in MethodUtils
+ LANG-1786: Map deprecated TimeZone short IDs and avoid JRE
WARNINGs to the console
+ LANG-1792: TypeUtils.toString() skips angle brackets for Class
type
+ Mention JDK 25 LTS as a tested version in the release notes
* Changes:
+ Bump org.apache.commons:commons-parent from 88 to 92
- Update to 3.19.0
* New features:
+ Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH
+ Add SystemUtils.IS_OS_NETWARE
+ Add MethodUtils.getAccessibleMethod(Class, Method)
+ Add documentation to site for CVE-2025-48924
ClassUtils.getClass(...) can throw a StackOverflowError on
very long inputs
+ Add StringUtils.indexOfAny(CharSequence, int, char...)
+ Add ConcurrentException.ConcurrentException(String)
+ Add DateUtils.toLocalDateTime(Date[, TimeZone])
+ Add DateUtils.toOffsetDateTime(Date[, TimeZone])
+ Add DateUtils.toZonedDateTime(Date[, TimeZone])
+ Add ByteConsumer
+ Add ByteSupplier
+ Add FailableByteConsumer
+ Add FailableByteSupplier
+ LANG-1784: Add Functions methods for null-safe mapping and
chaining
+ LANG-1784: Add Failable methods for null-safe mapping and
chaining
+ Add DoubleRange.fit(double)
+ Add IntegerRange.fit(int)
+ Add LongRange.fit(long)
+ Add DurationUtils.get(String, TemporalUnit, long)
+ Add DurationUtils.getMillis(String, long)
+ Add DurationUtils.getSeconds(String, long)
+ Add SystemProperties.getBoolean(Class, String, boolean)
+ Add SystemProperties.getInt(Class, String, int)
+ Add SystemProperties.getLong(Class, String, long)
* Fixed Bugs:
+ LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the
hierarchy of methods
+ MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now
returns null instead of throwing a NullPointerException, as it
does for other exception types
+ Reduce spurious failures in ArrayUtilsTest methods that test
ArrayUtils.shuffle() methods
+ MethodUtils cannot find or invoke a public method on a public
class implemented in its package-private superclass
+ AtomicSafeInitializer.get() can spin internally if the
FailableSupplier given to AbstractConcurrentInitializer
.AbstractBuilder.setInitializer(FailableSupplier) throws a
RuntimeException
+ LANG-1783: WordUtils.containsAllWords?() may throw
PatternSyntaxException
+ LANG-1782: MethodUtils cannot find or invoke vararg methods
without providing vararg types or values
+ MethodUtils cannot find or invoke vararg methods of interface
types
+ MethodUtils cannot find or invoke vararg methods when widening
primitive types following the JLS 5.1.2. Widening Primitive
Conversion
+ LANG-1597: Invocation fails because matching varargs method
found but then discarded
+ Don't check accessibility twice in MemberUtils
.setAccessibleWorkaround(T)
+ LANG-1774: Improve handling of ClassUtils
.getShortCanonicalName() for invalid input
+ LANG-1720: Improve Javadocs for Conversion
+ Fix CalendarUtils.toLocalDate() Javadoc return type
description
+ Fix the method name in Javadoc examples for CharUtils.isHex()
+ Deprecate NumberUtils.compare(byte, byte) in favor of
Byte.compare(byte, byte)
+ Deprecate NumberUtils.compare(int, int) in favor of
Integer.compare(int, int)
+ Deprecate NumberUtils.compare(long, long) in favor of
Long.compare(long, long)
+ Deprecate NumberUtils.compare(short, short) in favor of
Short.compare(short, short)
+ Deprecate obsolete system property constant
SystemProperties.AWT_TOOLKIT
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_FONTS
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_GRAPHICSENV
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_HEADLESS
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_PRINTERJOB
+ Deprecate obsolete system property constant
SystemProperties.JAVA_COMPILER
+ Deprecate obsolete system property constant
SystemProperties.JAVA_ENDORSED_DIRS
+ Deprecate obsolete system property constant
SystemProperties.JAVA_EXT_DIRS
+ Deprecate method for obsolete system property constant
SystemProperties.getAwtToolkit()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtFonts()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtGraphicsenv()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtHeadless()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtPrinterjob()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaCompiler()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaEndorsedDirs()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaExtDirs()
+ Deprecate method for obsolete system property constant
SystemUtils.isJavaAwtHeadless()
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_FONTS
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_GRAPHICSENV
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_HEADLESS
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_PRINTERJOB
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_COMPILER
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_ENDORSED_DIRS
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_EXT_DIRS
+ [javadoc] General improvements
+ [javadoc] Fix thrown exception documentation for
MethodUtils.getMethodObject(Class<?>, String, Class<?>...)
+ [javadoc] Strings::equalsAny: CI doc string should show it's
insensitive
+ [javadoc] General Javadoc improvements
+ LANG-1780: [javadoc] Fix Strings Javadoc
+ [javadoc] Fix typo in Javadoc of Strings instances
+ [javadoc] Fix Javadocs in ClassUtils
+ [javadoc] Fix @deprecated link for StringUtils#startsWithAny
+ Replace old feather logotype with new oak logotype
* Changes:
+ [test] Bump org.apache.commons:commons-text from 1.13.1 to
1.14.0
+ Bump org.apache.commons:commons-parent from 85 to 88
- Update to 3.18.0
- Fix component version in default.properties to 3.12
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Correct implementation of RandomUtils.nextLong(long, long).
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Bump junit-bom from 5.7.0 to 5.7.1.
* Ignored exception 'ignored', should not be called so.
* Change array style from 'int a[]' to 'int[] a'.
Changes in apache-commons-text:
- Upgrade to version 1.15.0
* New features
+ Add experimental CycloneDX VEX file
+ TEXT-235: Add Damerau-Levenshtein distance
+ Add unit tests to increase coverage
+ Add new test for CharSequenceTranslator#with()
+ Add tests and assertions to org.apache.commons.text.similarity
to get to 100% code coverage
* Fixed Bugs
+ Fix exception message typo in XmlStringLookup
.XmlStringLookup(Map, Path...)
+ TEXT-236: Inserting at the end of a TextStringBuilder throws
a StringIndexOutOfBoundsException
+ Fix TextStringBuilderTest.testAppendToCharBuffer() to use
proper argument type
+ Fix Apache RAT plugin console warnings
+ Fix site XML to use version 2.0.0 XML schema
+ Removed unreachable threshold verification code in
src/main/java/org/apache/commons/text/similarity
+ Enable secure processing for the XML parser in XmlStringLookup
in case the underlying JAXP implementation doesn't
- Upgrade to version 1.14.0
* New features
+ Interface StringLookup now extends UnaryOperator<String>
+ Interface TextRandomProvider extends IntUnaryOperator
+ Add RandomStringGenerator.Builder
.usingRandom(IntUnaryOperator)
+ Add PMD check to default Maven goal
+ Add org.apache.commons.text.RandomStringGenerator.Builder
.setAccumulate(boolean)
* Fixed Bugs
+ Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory
+ Fix PMD UnnecessaryFullyQualifiedName in
DefaultStringLookupsHolder
+ Fix PMD UnnecessaryFullyQualifiedName in
PropertiesStringLookup
+ Fix PMD UnnecessaryFullyQualifiedName in
JavaPlatformStringLookup
+ Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor
+ Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor
+ Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter
+ Fix PMD AvoidBranchingStatementAsLastInLoop in
TextStringBuilder
+ Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder
+ org.apache.commons.text.translate.LookupTranslator
.LookupTranslator(Map CharSequence>) now throws
NullPointerException instead of
java.security.InvalidParameterException
- Upgrade to version 1.13.1
* Fixed Bugs
+ Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS
(from org.apache.commons:commons-parent:80)
+ Deprecate EntityArrays.EntityArrays()
+ StringLookupFactory.DefaultStringLookupsHolder
.createDefaultStringLookups() maps DefaultStringLookup
.LOCAL_HOST twice instead of once for LOCAL_HOST and
LOOPBACK_ADDRESS
- Upgrade to version 1.13.0
* New features
+ Add StringLookupFactory.loopbackAddressStringLookup()
+ Add StringLookupFactory.KEY_LOOPBACK_ADDRESS
+ Add DefaultStringLookup.LOOPBACK_ADDRESS
+ Add richer inputs in package org.apache.commons.text
.similarity with SimilarityInput
+ Add HammingDistance.apply(SimilarityInput, SimilarityInput)
+ Add JaccardDistance.apply(SimilarityInput, SimilarityInput)
+ Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)
+ Add JaroWinklerDistance.apply(SimilarityInput,
SimilarityInput)
+ Add JaroWinklerSimilarity.apply(SimilarityInput,
SimilarityInput)
+ Add LevenshteinDetailedDistance.apply(SimilarityInput,
SimilarityInput)
+ Add LevenshteinDistance.apply(SimilarityInput,
SimilarityInput)
* Fixed Bugs
+ Fix build on Java 22
+ Fix build on Java 23-ea
+ Make package-private constructor private:
StrLookup.MapStrLookup.MapStrLookup(Map)
+ Make package-private constructor private: StrLookup
.SystemPropertiesStrLookup.SystemPropertiesStrLookup()
+ Make package-private class private and final: MapStrLookup
+ Make package-private class private: StrMatcher.CharMatcher
+ Make package-private class private: StrMatcher.CharSetMatcher
+ Make package-private class private: StrMatcher.NoMatcher
+ Make package-private class private: StrMatcher.StringMatcher
+ Make package-private class private: StrMatcher.TrimMatcher
+ Make package-private class private and final:
IntersectionSimilarity.BagCount
+ Make package-private class private and final:
IntersectionSimilarity.TinyCount
+ Deprecate LevenshteinDistance.LevenshteinDistance() in favor
of LevenshteinDistance.getDefaultInstance()
+ Deprecate LevenshteinDetailedDistance
.LevenshteinDetailedDistance() in favor of
LevenshteinDetailedDistance.getDefaultInstance()
+ TEXT-234: Improve StrBuilder documentation for new line text
+ TEXT-234: Improve TextStringBuilder documentation for new line
text
+ TEXT-233: Required OSGi Import-Package version numbers in
MANIFEST.MF
- Upgrade to version 1.12.0
* New features
+ Add StringLookupFactory.fileStringLookup(Path...) and
deprecated fileStringLookup()
+ Add StringLookupFactory.propertiesStringLookup(Path...) and
deprecated propertiesStringLookup()
+ Add StringLookupFactory.xmlStringLookup(Map, Path...) and
deprecated xmlStringLookup() and xmlStringLookup(Map)
+ Add StringLookupFactory.builder() for fencing Path resolution
of the file, properties and XML lookups
+ Add DoubleFormat.Builder.get() as Builder now implements
Supplier
* Fixed Bugs
+ TEXT-232: WordUtils.containsAllWords?() may throw
PatternSyntaxException
+ TEXT-175: Fix regression for determining whitespace in
WordUtils
+ Deprecate Builder in favor of Supplier
- Upgrade to version 1.11.0
* New features
+ TEXT-224: Set SecureProcessing feature in XmlStringLookup by
default
+ TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String,
Boolean>...)
+ Add @FunctionalInterface to FormatFactory
+ Add RandomStringGenerator.builder()
+ TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup
+ Add StringSubstitutor.toString()
* Fixed Bugs
+ TEXT-219: Fix StringTokenizer.getTokenList to return an
independent modifiable list
+ Fix Javadoc for StringEscapeUtils.escapeHtml4
+ TextStringBuidler#hashCode() allocates a String on each call
+ TEXT-221: Fix Bundle-SymbolicName to use the package name
org.apache.commons.text
+ Add and use a package-private singleton for RegexTokenizer
+ Add and use a package-private singleton for CosineSimilarity
+ Add and use a package-private singleton for
LongestCommonSubsequence
+ Add and use a package-private singleton for
JaroWinklerSimilarity
+ Add and use a package-private singleton for JaccardSimilarity
+ [StepSecurity] ci: Harden GitHub Actions
+ Improve AlphabetConverter Javadoc
+ Fix exception message in IntersectionResult to make
set-theoretic sense
+ Add null-check in RandomStringGenerator#Builder#selectFrom()
to avoid NullPointerException
+ Add null-check in RandomStringGenerator#Builder#withinRange()
to avoid NullPointerException
+ TEXT-228: Fix TextStringBuilder to over-allocate when ensuring
capacity
+ Constructor for ResourceBundleStringLookup should be private
instead of package-private
+ Constructor for UrlDecoderStringLookup should be private
instead of package-private
+ Constructor for UrlEncoderStringLookup should be private
instead of package-private
+ TEXT-230: Javadoc of org.apache.commons.text.lookup
.DefaultStringLookup.XML is incorrect
+ Update DoubleFormat to state it is based on Double.toString
+ Removed non-existing parameter from Javadocs and spelled out
+ StringEscapeUtils.unescapeCsv doesn't remove quotes at begin
+ Refactor TextStringBuilder.readFrom(Readable), extracting
+ Add org.apache.commons.text.TextStringBuilder.drainChars(int,
+ Add org.apache.commons.text.TextStringBuilder.wrap(char[],
Changes in apache-commons-configuration2:
- Upgrade to version 2.15.0
* Changes
+ Disable include schemes http[s] by default, see
AbstractFileLocationStrategy
+ Detect and avoid processing cycles in YAML input
(YAMLConfiguration) (bsc#1265299, CVE-2026-45205)
+ Extend scheme validation to inner schemes of jar: URLs
- Upgrade to version 2.14.0
* New features
+ Add XMLConfiguration.read(Element)
+ Add ConfigurationException.ConfigurationException(String,
Object...)
+ Add ConfigurationException.ConfigurationException(Throwable,
String, Object...)
+ Add ConversionException.ConversionException(String, Object...)
+ Add ConversionException.ConversionException(Throwable, String,
Object...)
+ Add ConfigurationRuntimeException
.ConfigurationRuntimeException(Throwable, String, Object...)
* Fixed Bugs
+ Fix Apache RAT plugin console warnings
+ Migrate from deprecated APIs
- Upgrade to version 2.13.0
* New features
+ Add org.apache.commons.configuration2.ImmutableConfiguration
.entrySet()
+ Add org.apache.commons.configuration2.ImmutableConfiguration
.forEach(BiConsumer<String, Object>)
+ Add VEX entry for CVE-2025-48924
* Fixed Bugs
+ Shared primitive variable "throwExceptionOnMissing" in one
thread may not yield the value of the most recent write from
another thread [org.apache.commons.configuration2
.AbstractConfiguration] At AbstractConfiguration.java:
[line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
+ Shared primitive variable "forceSingleLine" in one thread may
not yield the value of the most recent write from another
thread [org.apache.commons.configuration2
.PropertiesConfigurationLayout]
At PropertiesConfigurationLayout.java:[line 821]
AT_STALE_THREAD_WRITE_OF_PRIMITIVE
+ CONFIGURATION-849: Fix undoubling of strings
+ CONFIGURATION-852: Mark the package jakarta.servlet.* import
as optional in OSGi
+ Fix build [WARNING] Parameter 'forkMode' is unknown for plugin
'maven-surefire-plugin:3.5.3:test (default-test)'
- Upgrade to version 2.12.0
* New features:
+ Add PrefixedKeysIterator.toString() to package-private
PrefixedKeysIterator
+ CONFIGURATION-836: New web configurations using the
jakarta.servlet namespace are now available
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletConfiguration
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletContextConfiguration
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletFilterConfiguration
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletRequestConfiguration
+ Add org.apache.commons.configuration2
.AbstractHierarchicalConfiguration.getKeysInternal(String,
String)
* Fixed Bugs:
+ PropertyConverter.to(Class, Object, DefaultConversionHandler)
doesn't convert custom java.lang.Number subclasses
+ DefaultConversionHandler.convertValue(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang
.Number subclasses
+ DefaultConversionHandler.to(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang
.Number subclasses
+ CONFIGURATION-848: SubsetConfiguration does not account for
delimiters as it did in 2.9.0
+ CONFIGURATION-848: CompositeConfiguration does not account for
delimiters as it did in 2.9.0
+ Describe the security model
+ De-emphasize the 1.x version line on the website
+ CONFIGURATION-851: HomeDirectoryLocationStrategy no longer
resolves the user HOME directory correctly
- Upgrade to version 2.11.0
* New features
+ CONFIGURATION-844: Add support for empty sections
+ Add ImmutableConfiguration.containsValue(Object)
* Fixed Bugs
+ Fail-fast with a NullPointerException if DataConfiguration
.DataConfiguration(Configuration) is called with null
+ Fail-fast with a NullPointerException if
XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element)
is called with null
+ Fail-fast with a NullPointerException if a SubsetConfiguration
constructor is called with a null Configuration
+ CONFIGURATION-843: Methods should not be empty
+ Guard MapConfiguration against null maps
+ Fail-fast with a NullPointerException if
AppletConfiguration(Applet) is called with null
+ Fail-fast with a NullPointerException if
ServletConfiguration(Servlet) is called with null
+ Fail-fast with a NullPointerException if
ServletConfiguration(ServletConfig) is called with null
+ Fail-fast with a NullPointerException if
ServletContextConfiguration(Servlet) is called with null
+ Fail-fast with a NullPointerException if
ServletContextConfiguration(ServletContext) is called with null
+ Fail-fast with a NullPointerException if
ServletFilterConfiguration(FilterConfig) is called with null
+ Fail-fast with a NullPointerException if
ServletRequestConfiguration(ServletRequest) is called with
null
+ Deprecate DatabaseConfiguration.getDatasource() in favor of
getDataSource()
+ Fix PMD DynamicCombinedConfiguration in
AbstractImmutableNodeHandler
+ Fix PMD DynamicCombinedConfiguration in
AbstractListDelimiterHandler
+ Fix PMD DynamicCombinedConfiguration in
DefaultPrefixLookupsHolder
+ Fix PMD DynamicCombinedConfiguration in
DynamicCombinedConfiguration
+ Fix PMD DynamicCombinedConfiguration in
PropertiesConfiguration
+ CONFIGURATION-846: Restore previous behavior allowing Spring
to inject multiple values
+ CONFIGURATION-847: Property with an empty string value was not
processed
Changes in apache-commons-cli:
- Update to 1.11.0
* New Features
+ Add CommandLine.getOptionCount() to measure option repetition
* Fixed Bugs
+ CLI-351: Multiple trailing BREAK_CHAR_SET characters cause
infinite loop in HelpFormatter
+ CLI-351: Fix issue with groups not being reported in help
output
Changes in apache-commons-io:
- Upgrade to 2.22.0
* New features
+ Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)
+ Add ProxyWriter.setReference(Writer)
+ Add ProxyWriter.unwrap()
+ Add ProxyReader.setReference(Reader)
+Add ProxyReader.unrwap()
+ IO-883: ByteArraySeekableByteChannel should optionally
configure a read-only channel
+ IO-883: Add ByteArraySeekableByteChannel.Builder and builder()
+ IO-883: Add AbstractStreamBuilder.getByteArray()
+ CloseShieldInputStream now supports a custom close shield as
a function
+ Add FlushShieldOutputStream to workaround issues in generic
code that ends up calling third parties like like
org.tukaani.xz.LZMAOutputStream.flush()
+ Add filter channels
* Fixed Bugs
+ Fix Apache RAT plugin console warnings
+ ByteArraySeekableByteChannel.position(long) and truncate(long)
shouldn't throw an IllegalArgumentException for a new positive
position that's too large
+ Fix malformed Javadoc comments
+ ReadAheadInputStream.close() doesn't always close its filtered
input stream
+ ReadAheadInputStream now restores the current thread's
interrupt flag when catching InterruptedException
+ FileAlterationMonitor.stop(long) now restores the current
thread's interrupt flag when catching InterruptedException
+ FileCleaningTracker now restores the current thread's
interrupt flag when catching InterruptedException
+ ThreadMonitor.run() now restores the current thread's
interrupt flag when catching InterruptedException
+ ThrottledInputStream.throttle() now restores the current
thread's interrupt flag when catching InterruptedException
+ ThrottledInputStream.throttle() doesn't preserve the original
InterruptedException as the cause of its
InterruptedIOException
+ All thread names are now prefixed with "commons-io-"
+ IO-639: ReversedLinesFileReader does not read first line if
its empty
+ IO-886: Fixed incorrect regular expression in
PathUtils.RelativeSortedPaths.extractKey(String, String)
+ Fix typos in Javadoc of FileUtils and related test classes
+ IO-887: WriterOutputStream from a builder fails on malformed
or unmappable input bytes
+ BoundedReader now extends ProxyReader
+ AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes
a defensive copy of its input array
+ IO-885: Path visits follow links
+ BOMInputStream fail-fast and tracks its ByteOrderMark as a final
+ Refactor UnixLineEndingInputStream and
WindowsLineEndingInputStream for duplication
+ IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils
+ Fix JaCoCo report generation (code coverage)
+ AbstractStreamBuilder.setBufferSizeDefault(int) now resets to
default for input less than or equal to zero
* Changes
+ Bump org.apache.commons:commons-parent from 91 to 98
+ Bump commons-codec:commons-codec from 1.19.0 to 1.21.0
+ Bump commons.bytebuddy.version from 1.17.8 to 1.18.8
+ Bump commons-lang3 from 3.19.0 to 3.20.0
Changes in apache-commons-codec:
- Update to 1.22.0
* New features
+ CODEC-326: Add Base58 support
+ Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])
+ CODEC-335: Add GitIdentifiers to compute Git blob and tree
object identifiers
* Fixed Bugs
+ CODEC-249: Fix Incorrect transform of CH digraph according
Metaphone basic rules #423
+ CODEC-317: ColognePhonetic can create duplicate consecutive
codes in some cases
+ Add boundary tests for BinaryCodec.fromAscii partial-bit
inputs #425
+ CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc
incorrectly states null is accepted for primitive boolean
parameter
* Changes
+ Bump org.apache.commons:commons-parent from 96 to 98
- Update to 1.21.0
* New features
+ CODEC-333: Add distinct Base64 decoding for standard and
URL-safe formats
* Fixed Bugs
+ Fix oak leaf icon references in overview.html when running
'mvn clean javadoc:javadoc'
+ Fix Apache RAT plugin console warnings
+ Fix malformed Javadoc comments
* Changes
+ Bump org.apache.commons:commons-parent from 91 to 96 #415,
#418
+ Bump commons-io:commons-io from 2.20.0 to 2.21.0
+ Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0
- Update to 1.20.0
* New features
+ Add org.apache.commons.codec.digest.Crc16
+ Add builders to org.apache.commons.codec.digest streams and
deprecate some old constructors
+ Add builder to Base16 streams and deprecate some old
constructors
+ Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils'
and 'MessageDigestAlgorithms' on Java 25 and up
+ Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and
refactor subclasses
* Changes
+ Deprecate all but one Base32 constructor in favor of the
builder added in version 1.17.0
+ Deprecate all but one Base64 constructor in favor of the
builder added in version 1.17.0
+ BaseNCodecInputStream subclasses are now type-safe to match
its matching BaseNCodec
+ BaseNCodecOutputStream subclasses are now type-safe to match
its matching BaseNCodec
+ Bump org.apache.commons:commons-parent from 85 to 91
+ [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to
3.19.0
- Update to 1.19.0
* New features
+ Add HmacUtils.hmac(Path)
+ Add HmacUtils.hmacHex(Path)
+ Add PMD check to the default Maven goal
+ Add SpotBugs check to the default Maven goal
* Fixed Bugs
+ Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS
(from org.apache.commons:commons-parent:80)
+ Refactor DigestUtils.updateDigest(MessageDigest, File) to use
NIO
+ CODEC-328: Clarify Javadoc for
org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)
+ Precompile regular expressions in DaitchMokotoffSoundex.Rule
+ Precompile regular expressions in
DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)
+ Precompile regular expressions in
Lang.loadFromResource(String, Languages)
+ Precompile regular expressions in
PhoneticEngine.encode(String, LanguageSet)
+ Precompile regular expressions in
org.apache.commons.codec.language.bm.Rule.parse*(*)
+ Remove redundant checks for whitespace in
DaitchMokotoffSoundex.soundex(String, boolean)
+ Javadoc typo in Base16.java #380
+ Deprecate unused constant org.apache.commons.codec.language.bm
.Rule.ALL
+ CODEC-331: org.apache.commons.codec.language.bm.Rule
.parsePhonemeExpr(String) adds duplicate empty phoneme when
input ends with |
+ CODEC-331: org.apache.commons.codec.language
.DaitchMokotoffSoundex.cleanup(String) does not remove special
characters like punctuation
+ Fix PMD multiple UnnecessaryFullyQualifiedName in
org.apache.commons.codec.binary.StringUtils
+ Fix PMD UnusedFormalParameter in private constructor in
org.apache.commons.codec.binary.Base16
+ Fix PMD multiple UnnecessaryFullyQualifiedName in
org.apache.commons.codec.digest.Blake3
+ Fix PMD UnnecessaryFullyQualifiedName in
org.apache.commons.codec.digest.Md5Crypt
+ Fix PMD EmptyControlStatement in
org.apache.commons.codec.language.Metaphone
+ Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary
.BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose
internal representation by storing an externally mutable
object into BaseNCodec$AbstractBuilder.encodeTable [org.apache
.commons.codec.binary.BaseNCodec$AbstractBuilder] At
BaseNCodec.java:[line 131] EI_EXPOSE_REP2
+ The method org.apache.commons.codec.binary.BaseNCodec
.AbstractBuilder.setLineSeparator(byte...) now makes a
defensive copy
+ Avoid unnecessary String conversion in
org.apache.commons.codec.language.bm.PhoneticEngine
.applyFinalRules(PhonemeBuilder, Map)
+ Fix SpotBugs [ERROR] High: Potentially dangerous use of
non-short-circuit logic in org.apache.commons.codec.language
.DaitchMokotoffSoundex.cleanup(String)
[org.apache.commons.codec.language.DaitchMokotoffSoundex] At
DaitchMokotoffSoundex.java:[line 350]
NS_DANGEROUS_NON_SHORT_CIRCUIT
* Changes
+ Bump org.apache.commons:commons-parent from 79 to 85 #375
+ [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0
+ [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to
3.18.0 #386
- Update to 1.16.0:
* Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
+ Support java.nio.ByteBuffer in
* Fixed bugs:
- Don't condition the maven defines on release version, but on
+ Add Daitch-Mokotoff Soundex
+ Make possible to provide padding byte to BaseNCodec in constructor
urlSafe parameter
is mandatory to call close()
+ Add support for HMAC Message Authentication Code (MAC) digests
+ Beider Morse Phonetic Matching producing incorrect tokens
using empty strings
Issue: CODEC-184.
+ Fix Javadoc 1.8.0 errors
+ Fix Java 8 build Javadoc errors
Issue: CODEC-189.
+ Deprecate Charsets Charset constants in favor of Java 7's
java.nio.charset.StandardCharsets
Issue: CODEC-178.
+ Update from commons-parent 34 to 35
Issue: CODEC-190.
- update to 1.8
* Add DigestUtils.updateDigest(MessageDigest, InputStream)
* Add Match Rating Approach (MRA) phonetic algorithm encoder
* ColognePhonetic encoder unnecessarily creates many char arrays on every loop run
- add junit4 to fix a build fail
- update to 1.6, sync with Fedora
Patchnames: SUSE-SLES-16.0-822
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.7 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues:\n\nChanges in apache-commons-lang3:\n\nUpdate to 3.20.0\n\n * New features:\n\n + Add SystemProperties.getPath(String, Supplier\u003cPath\u003e)\n + Add JavaVersion.JAVA_25\n + Add JavaVersion.JAVA_26\n + Add SystemUtils.IS_JAVA_25\n + Add SystemUtils.IS_JAVA_26\n + Add MutablePair.ofNonNull(Map.Entry)\n + Add TimedSemaphore.builder(), Builder, and deprecate\n constructors\n + LANG-1504: Adding labels and history to split StopWatch\n\n * Fixed Bugs:\n\n + Optimize ObjectToStringComparator.compare() method\n + [javadoc] Improve StringUtils Javadoc\n + Fix internal inverted logic in private isEnum() method and\n correct its usage in getFirstEnum()\n + Use accessors in ToStringStyle so subclasses can effectively\n override them\n + \u0027LocaleUtils.toLocale(String)\u0027 for a 2 letter country code\n now returns a value instead of throwing an\n \u0027IllegalArgumentException\u0027\n + Fix typo in StringUtils.trunctate() IllegalArgumentException\n message and test assertion messages\n + Fix test fixture in\n ReflectionDiffBuilderTest.testTransientFieldDifference()\n + LANG-1789: NullPointerException when generating\n NoSuchMethodException in MethodUtils\n + LANG-1786: Map deprecated TimeZone short IDs and avoid JRE\n WARNINGs to the console\n + LANG-1792: TypeUtils.toString() skips angle brackets for Class\n type\n + Mention JDK 25 LTS as a tested version in the release notes\n * Changes:\n + Bump org.apache.commons:commons-parent from 88 to 92\n\n- Update to 3.19.0\n\n * New features:\n\n + Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH\n + Add SystemUtils.IS_OS_NETWARE\n + Add MethodUtils.getAccessibleMethod(Class, Method)\n + Add documentation to site for CVE-2025-48924\n ClassUtils.getClass(...) can throw a StackOverflowError on\n very long inputs\n + Add StringUtils.indexOfAny(CharSequence, int, char...)\n + Add ConcurrentException.ConcurrentException(String)\n + Add DateUtils.toLocalDateTime(Date[, TimeZone])\n + Add DateUtils.toOffsetDateTime(Date[, TimeZone])\n + Add DateUtils.toZonedDateTime(Date[, TimeZone])\n + Add ByteConsumer\n + Add ByteSupplier\n + Add FailableByteConsumer\n + Add FailableByteSupplier\n + LANG-1784: Add Functions methods for null-safe mapping and\n chaining\n + LANG-1784: Add Failable methods for null-safe mapping and\n chaining\n + Add DoubleRange.fit(double)\n + Add IntegerRange.fit(int)\n + Add LongRange.fit(long)\n + Add DurationUtils.get(String, TemporalUnit, long)\n + Add DurationUtils.getMillis(String, long)\n + Add DurationUtils.getSeconds(String, long)\n + Add SystemProperties.getBoolean(Class, String, boolean)\n + Add SystemProperties.getInt(Class, String, int)\n + Add SystemProperties.getLong(Class, String, long)\n\n * Fixed Bugs:\n\n + LANG-1778: MethodUtils.getMatchingMethod() doesn\u0027t respect the\n hierarchy of methods\n + MethodUtils.getMethodObject(Class\u003c?\u003e, String, Class\u003c?\u003e...) now\n returns null instead of throwing a NullPointerException, as it\n does for other exception types\n + Reduce spurious failures in ArrayUtilsTest methods that test\n ArrayUtils.shuffle() methods\n + MethodUtils cannot find or invoke a public method on a public\n class implemented in its package-private superclass\n + AtomicSafeInitializer.get() can spin internally if the\n FailableSupplier given to AbstractConcurrentInitializer\n .AbstractBuilder.setInitializer(FailableSupplier) throws a\n RuntimeException\n + LANG-1783: WordUtils.containsAllWords?() may throw\n PatternSyntaxException\n + LANG-1782: MethodUtils cannot find or invoke vararg methods\n without providing vararg types or values\n + MethodUtils cannot find or invoke vararg methods of interface\n types\n + MethodUtils cannot find or invoke vararg methods when widening\n primitive types following the JLS 5.1.2. Widening Primitive\n Conversion\n + LANG-1597: Invocation fails because matching varargs method\n found but then discarded\n + Don\u0027t check accessibility twice in MemberUtils\n .setAccessibleWorkaround(T)\n + LANG-1774: Improve handling of ClassUtils\n .getShortCanonicalName() for invalid input\n + LANG-1720: Improve Javadocs for Conversion\n + Fix CalendarUtils.toLocalDate() Javadoc return type\n description\n + Fix the method name in Javadoc examples for CharUtils.isHex()\n + Deprecate NumberUtils.compare(byte, byte) in favor of\n Byte.compare(byte, byte)\n + Deprecate NumberUtils.compare(int, int) in favor of\n Integer.compare(int, int)\n + Deprecate NumberUtils.compare(long, long) in favor of\n Long.compare(long, long)\n + Deprecate NumberUtils.compare(short, short) in favor of\n Short.compare(short, short)\n + Deprecate obsolete system property constant\n SystemProperties.AWT_TOOLKIT\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_FONTS\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_GRAPHICSENV\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_HEADLESS\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_PRINTERJOB\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_COMPILER\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_ENDORSED_DIRS\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_EXT_DIRS\n + Deprecate method for obsolete system property constant\n SystemProperties.getAwtToolkit()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtFonts()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtGraphicsenv()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtHeadless()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtPrinterjob()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaCompiler()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaEndorsedDirs()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaExtDirs()\n + Deprecate method for obsolete system property constant\n SystemUtils.isJavaAwtHeadless()\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_FONTS\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_GRAPHICSENV\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_HEADLESS\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_PRINTERJOB\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_COMPILER\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_ENDORSED_DIRS\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_EXT_DIRS\n + [javadoc] General improvements\n + [javadoc] Fix thrown exception documentation for\n MethodUtils.getMethodObject(Class\u003c?\u003e, String, Class\u003c?\u003e...)\n + [javadoc] Strings::equalsAny: CI doc string should show it\u0027s\n insensitive\n + [javadoc] General Javadoc improvements\n + LANG-1780: [javadoc] Fix Strings Javadoc\n + [javadoc] Fix typo in Javadoc of Strings instances\n + [javadoc] Fix Javadocs in ClassUtils\n + [javadoc] Fix @deprecated link for StringUtils#startsWithAny\n + Replace old feather logotype with new oak logotype\n * Changes:\n + [test] Bump org.apache.commons:commons-text from 1.13.1 to\n 1.14.0\n + Bump org.apache.commons:commons-parent from 85 to 88\n\n- Update to 3.18.0\n\n- Fix component version in default.properties to 3.12\n\n * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.\n * Add FailableShortSupplier, handy for JDBC APIs.\n * Add JavaVersion.JAVA_17.\n * Add StringUtils.substringBefore(String, int).\n * Add Range.INTEGER.\n * Add DurationUtils.\n * Correct implementation of RandomUtils.nextLong(long, long).\n * Update maven-surefire-plugin 2.22.2 -\u003e 3.0.0-M5.\n * Bump junit-bom from 5.7.0 to 5.7.1.\n * Ignored exception \u0027ignored\u0027, should not be called so.\n * Change array style from \u0027int a[]\u0027 to \u0027int[] a\u0027.\n\nChanges in apache-commons-text:\n\n- Upgrade to version 1.15.0\n\n * New features\n\n + Add experimental CycloneDX VEX file\n + TEXT-235: Add Damerau-Levenshtein distance\n + Add unit tests to increase coverage\n + Add new test for CharSequenceTranslator#with()\n + Add tests and assertions to org.apache.commons.text.similarity\n to get to 100% code coverage\n\n * Fixed Bugs\n\n + Fix exception message typo in XmlStringLookup\n .XmlStringLookup(Map, Path...)\n + TEXT-236: Inserting at the end of a TextStringBuilder throws\n a StringIndexOutOfBoundsException\n + Fix TextStringBuilderTest.testAppendToCharBuffer() to use\n proper argument type\n + Fix Apache RAT plugin console warnings\n + Fix site XML to use version 2.0.0 XML schema\n + Removed unreachable threshold verification code in\n src/main/java/org/apache/commons/text/similarity\n + Enable secure processing for the XML parser in XmlStringLookup\n in case the underlying JAXP implementation doesn\u0027t\n\n- Upgrade to version 1.14.0\n\n * New features\n\n + Interface StringLookup now extends UnaryOperator\u003cString\u003e\n + Interface TextRandomProvider extends IntUnaryOperator\n + Add RandomStringGenerator.Builder\n .usingRandom(IntUnaryOperator)\n + Add PMD check to default Maven goal\n + Add org.apache.commons.text.RandomStringGenerator.Builder\n .setAccumulate(boolean)\n\n * Fixed Bugs\n\n + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory\n + Fix PMD UnnecessaryFullyQualifiedName in\n DefaultStringLookupsHolder\n + Fix PMD UnnecessaryFullyQualifiedName in\n PropertiesStringLookup\n + Fix PMD UnnecessaryFullyQualifiedName in\n JavaPlatformStringLookup\n + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor\n + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor\n + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter\n + Fix PMD AvoidBranchingStatementAsLastInLoop in\n TextStringBuilder\n + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder\n + org.apache.commons.text.translate.LookupTranslator\n .LookupTranslator(Map CharSequence\u003e) now throws\n NullPointerException instead of\n java.security.InvalidParameterException\n\n- Upgrade to version 1.13.1\n\n * Fixed Bugs\n\n + Remove -nouses directive from maven-bundle-plugin. OSGi\n package imports now state \u0027uses\u0027 definitions for package\n imports, this doesn\u0027t affect JPMS\n (from org.apache.commons:commons-parent:80)\n + Deprecate EntityArrays.EntityArrays()\n + StringLookupFactory.DefaultStringLookupsHolder\n .createDefaultStringLookups() maps DefaultStringLookup\n .LOCAL_HOST twice instead of once for LOCAL_HOST and\n LOOPBACK_ADDRESS\n\n- Upgrade to version 1.13.0\n\n * New features\n\n + Add StringLookupFactory.loopbackAddressStringLookup()\n + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS\n + Add DefaultStringLookup.LOOPBACK_ADDRESS\n + Add richer inputs in package org.apache.commons.text\n .similarity with SimilarityInput\n + Add HammingDistance.apply(SimilarityInput, SimilarityInput)\n + Add JaccardDistance.apply(SimilarityInput, SimilarityInput)\n + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)\n + Add JaroWinklerDistance.apply(SimilarityInput,\n SimilarityInput)\n + Add JaroWinklerSimilarity.apply(SimilarityInput,\n SimilarityInput)\n + Add LevenshteinDetailedDistance.apply(SimilarityInput,\n SimilarityInput)\n + Add LevenshteinDistance.apply(SimilarityInput,\n SimilarityInput)\n\n * Fixed Bugs\n\n + Fix build on Java 22\n + Fix build on Java 23-ea\n + Make package-private constructor private:\n StrLookup.MapStrLookup.MapStrLookup(Map)\n + Make package-private constructor private: StrLookup\n .SystemPropertiesStrLookup.SystemPropertiesStrLookup()\n + Make package-private class private and final: MapStrLookup\n + Make package-private class private: StrMatcher.CharMatcher\n + Make package-private class private: StrMatcher.CharSetMatcher\n + Make package-private class private: StrMatcher.NoMatcher\n + Make package-private class private: StrMatcher.StringMatcher\n + Make package-private class private: StrMatcher.TrimMatcher\n + Make package-private class private and final:\n IntersectionSimilarity.BagCount\n + Make package-private class private and final:\n IntersectionSimilarity.TinyCount\n + Deprecate LevenshteinDistance.LevenshteinDistance() in favor\n of LevenshteinDistance.getDefaultInstance()\n + Deprecate LevenshteinDetailedDistance\n .LevenshteinDetailedDistance() in favor of\n LevenshteinDetailedDistance.getDefaultInstance()\n + TEXT-234: Improve StrBuilder documentation for new line text\n + TEXT-234: Improve TextStringBuilder documentation for new line\n text\n + TEXT-233: Required OSGi Import-Package version numbers in\n MANIFEST.MF\n\n- Upgrade to version 1.12.0\n\n * New features\n\n + Add StringLookupFactory.fileStringLookup(Path...) and\n deprecated fileStringLookup()\n + Add StringLookupFactory.propertiesStringLookup(Path...) and\n deprecated propertiesStringLookup()\n + Add StringLookupFactory.xmlStringLookup(Map, Path...) and\n deprecated xmlStringLookup() and xmlStringLookup(Map)\n + Add StringLookupFactory.builder() for fencing Path resolution\n of the file, properties and XML lookups\n + Add DoubleFormat.Builder.get() as Builder now implements\n Supplier\n\n * Fixed Bugs\n\n + TEXT-232: WordUtils.containsAllWords?() may throw\n PatternSyntaxException\n + TEXT-175: Fix regression for determining whitespace in\n WordUtils\n + Deprecate Builder in favor of Supplier\n\n- Upgrade to version 1.11.0\n\n * New features\n\n + TEXT-224: Set SecureProcessing feature in XmlStringLookup by\n default\n + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map\u003cString,\n Boolean\u003e...)\n + Add @FunctionalInterface to FormatFactory\n + Add RandomStringGenerator.builder()\n + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup\n + Add StringSubstitutor.toString()\n\n * Fixed Bugs\n\n + TEXT-219: Fix StringTokenizer.getTokenList to return an\n independent modifiable list\n + Fix Javadoc for StringEscapeUtils.escapeHtml4\n + TextStringBuidler#hashCode() allocates a String on each call\n + TEXT-221: Fix Bundle-SymbolicName to use the package name\n org.apache.commons.text\n + Add and use a package-private singleton for RegexTokenizer\n + Add and use a package-private singleton for CosineSimilarity\n + Add and use a package-private singleton for\n LongestCommonSubsequence\n + Add and use a package-private singleton for\n JaroWinklerSimilarity\n + Add and use a package-private singleton for JaccardSimilarity\n + [StepSecurity] ci: Harden GitHub Actions\n + Improve AlphabetConverter Javadoc\n + Fix exception message in IntersectionResult to make\n set-theoretic sense\n + Add null-check in RandomStringGenerator#Builder#selectFrom()\n to avoid NullPointerException\n + Add null-check in RandomStringGenerator#Builder#withinRange()\n to avoid NullPointerException\n + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring\n capacity\n + Constructor for ResourceBundleStringLookup should be private\n instead of package-private\n + Constructor for UrlDecoderStringLookup should be private\n instead of package-private\n + Constructor for UrlEncoderStringLookup should be private\n instead of package-private\n + TEXT-230: Javadoc of org.apache.commons.text.lookup\n .DefaultStringLookup.XML is incorrect\n + Update DoubleFormat to state it is based on Double.toString\n\n + Removed non-existing parameter from Javadocs and spelled out\n + StringEscapeUtils.unescapeCsv doesn\u0027t remove quotes at begin\n + Refactor TextStringBuilder.readFrom(Readable), extracting\n + Add org.apache.commons.text.TextStringBuilder.drainChars(int,\n + Add org.apache.commons.text.TextStringBuilder.wrap(char[],\n\nChanges in apache-commons-configuration2:\n\n- Upgrade to version 2.15.0\n\n * Changes\n\n + Disable include schemes http[s] by default, see\n AbstractFileLocationStrategy\n + Detect and avoid processing cycles in YAML input\n (YAMLConfiguration) (bsc#1265299, CVE-2026-45205)\n + Extend scheme validation to inner schemes of jar: URLs\n\n- Upgrade to version 2.14.0\n\n * New features\n\n + Add XMLConfiguration.read(Element)\n + Add ConfigurationException.ConfigurationException(String,\n Object...)\n + Add ConfigurationException.ConfigurationException(Throwable,\n String, Object...)\n + Add ConversionException.ConversionException(String, Object...)\n + Add ConversionException.ConversionException(Throwable, String,\n Object...)\n + Add ConfigurationRuntimeException\n .ConfigurationRuntimeException(Throwable, String, Object...)\n\n * Fixed Bugs\n\n + Fix Apache RAT plugin console warnings\n + Migrate from deprecated APIs\n\n- Upgrade to version 2.13.0\n\n * New features\n\n + Add org.apache.commons.configuration2.ImmutableConfiguration\n .entrySet()\n + Add org.apache.commons.configuration2.ImmutableConfiguration\n .forEach(BiConsumer\u003cString, Object\u003e)\n + Add VEX entry for CVE-2025-48924\n\n * Fixed Bugs\n\n + Shared primitive variable \"throwExceptionOnMissing\" in one\n thread may not yield the value of the most recent write from\n another thread [org.apache.commons.configuration2\n .AbstractConfiguration] At AbstractConfiguration.java:\n [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE\n + Shared primitive variable \"forceSingleLine\" in one thread may\n not yield the value of the most recent write from another\n thread [org.apache.commons.configuration2\n .PropertiesConfigurationLayout]\n At PropertiesConfigurationLayout.java:[line 821]\n AT_STALE_THREAD_WRITE_OF_PRIMITIVE\n + CONFIGURATION-849: Fix undoubling of strings\n + CONFIGURATION-852: Mark the package jakarta.servlet.* import\n as optional in OSGi\n + Fix build [WARNING] Parameter \u0027forkMode\u0027 is unknown for plugin\n \u0027maven-surefire-plugin:3.5.3:test (default-test)\u0027\n\n- Upgrade to version 2.12.0\n\n * New features:\n\n + Add PrefixedKeysIterator.toString() to package-private\n PrefixedKeysIterator\n + CONFIGURATION-836: New web configurations using the\n jakarta.servlet namespace are now available\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletConfiguration\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletContextConfiguration\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletFilterConfiguration\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletRequestConfiguration\n + Add org.apache.commons.configuration2\n .AbstractHierarchicalConfiguration.getKeysInternal(String,\n String)\n\n * Fixed Bugs:\n\n + PropertyConverter.to(Class, Object, DefaultConversionHandler)\n doesn\u0027t convert custom java.lang.Number subclasses\n + DefaultConversionHandler.convertValue(Object, Class,\n ConfigurationInterpolator) doesn\u0027t convert custom java.lang\n .Number subclasses\n + DefaultConversionHandler.to(Object, Class,\n ConfigurationInterpolator) doesn\u0027t convert custom java.lang\n .Number subclasses\n + CONFIGURATION-848: SubsetConfiguration does not account for\n delimiters as it did in 2.9.0\n + CONFIGURATION-848: CompositeConfiguration does not account for\n delimiters as it did in 2.9.0\n + Describe the security model\n + De-emphasize the 1.x version line on the website\n + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer\n resolves the user HOME directory correctly\n\n- Upgrade to version 2.11.0\n\n * New features\n\n + CONFIGURATION-844: Add support for empty sections\n + Add ImmutableConfiguration.containsValue(Object)\n\n * Fixed Bugs\n\n + Fail-fast with a NullPointerException if DataConfiguration\n .DataConfiguration(Configuration) is called with null\n + Fail-fast with a NullPointerException if\n XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element)\n is called with null\n + Fail-fast with a NullPointerException if a SubsetConfiguration\n constructor is called with a null Configuration\n + CONFIGURATION-843: Methods should not be empty\n + Guard MapConfiguration against null maps\n + Fail-fast with a NullPointerException if\n AppletConfiguration(Applet) is called with null\n + Fail-fast with a NullPointerException if\n ServletConfiguration(Servlet) is called with null\n + Fail-fast with a NullPointerException if\n ServletConfiguration(ServletConfig) is called with null\n + Fail-fast with a NullPointerException if\n ServletContextConfiguration(Servlet) is called with null\n + Fail-fast with a NullPointerException if\n ServletContextConfiguration(ServletContext) is called with null\n + Fail-fast with a NullPointerException if\n ServletFilterConfiguration(FilterConfig) is called with null\n + Fail-fast with a NullPointerException if\n ServletRequestConfiguration(ServletRequest) is called with\n null\n + Deprecate DatabaseConfiguration.getDatasource() in favor of\n getDataSource()\n + Fix PMD DynamicCombinedConfiguration in\n AbstractImmutableNodeHandler\n + Fix PMD DynamicCombinedConfiguration in\n AbstractListDelimiterHandler\n + Fix PMD DynamicCombinedConfiguration in\n DefaultPrefixLookupsHolder\n + Fix PMD DynamicCombinedConfiguration in\n DynamicCombinedConfiguration\n + Fix PMD DynamicCombinedConfiguration in\n PropertiesConfiguration\n + CONFIGURATION-846: Restore previous behavior allowing Spring\n to inject multiple values\n + CONFIGURATION-847: Property with an empty string value was not\n processed\n\nChanges in apache-commons-cli:\n\n- Update to 1.11.0\n\n * New Features\n\n + Add CommandLine.getOptionCount() to measure option repetition\n\n * Fixed Bugs\n\n + CLI-351: Multiple trailing BREAK_CHAR_SET characters cause\n infinite loop in HelpFormatter\n + CLI-351: Fix issue with groups not being reported in help\n output\n\nChanges in apache-commons-io:\n\n- Upgrade to 2.22.0\n\n * New features\n\n + Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)\n + Add ProxyWriter.setReference(Writer)\n + Add ProxyWriter.unwrap()\n + Add ProxyReader.setReference(Reader)\n +Add ProxyReader.unrwap()\n + IO-883: ByteArraySeekableByteChannel should optionally\n configure a read-only channel\n + IO-883: Add ByteArraySeekableByteChannel.Builder and builder()\n + IO-883: Add AbstractStreamBuilder.getByteArray()\n + CloseShieldInputStream now supports a custom close shield as\n a function\n + Add FlushShieldOutputStream to workaround issues in generic\n code that ends up calling third parties like like\n org.tukaani.xz.LZMAOutputStream.flush()\n + Add filter channels\n\n * Fixed Bugs\n\n + Fix Apache RAT plugin console warnings\n + ByteArraySeekableByteChannel.position(long) and truncate(long)\n shouldn\u0027t throw an IllegalArgumentException for a new positive\n position that\u0027s too large\n + Fix malformed Javadoc comments\n + ReadAheadInputStream.close() doesn\u0027t always close its filtered\n input stream\n + ReadAheadInputStream now restores the current thread\u0027s\n interrupt flag when catching InterruptedException\n + FileAlterationMonitor.stop(long) now restores the current\n thread\u0027s interrupt flag when catching InterruptedException\n + FileCleaningTracker now restores the current thread\u0027s\n interrupt flag when catching InterruptedException\n + ThreadMonitor.run() now restores the current thread\u0027s\n interrupt flag when catching InterruptedException\n + ThrottledInputStream.throttle() now restores the current\n thread\u0027s interrupt flag when catching InterruptedException\n + ThrottledInputStream.throttle() doesn\u0027t preserve the original\n InterruptedException as the cause of its\n InterruptedIOException\n + All thread names are now prefixed with \"commons-io-\"\n + IO-639: ReversedLinesFileReader does not read first line if\n its empty\n + IO-886: Fixed incorrect regular expression in\n PathUtils.RelativeSortedPaths.extractKey(String, String)\n + Fix typos in Javadoc of FileUtils and related test classes\n + IO-887: WriterOutputStream from a builder fails on malformed\n or unmappable input bytes\n + BoundedReader now extends ProxyReader\n + AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes\n a defensive copy of its input array\n + IO-885: Path visits follow links\n + BOMInputStream fail-fast and tracks its ByteOrderMark as a final\n + Refactor UnixLineEndingInputStream and\n WindowsLineEndingInputStream for duplication\n + IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils\n + Fix JaCoCo report generation (code coverage)\n + AbstractStreamBuilder.setBufferSizeDefault(int) now resets to\n default for input less than or equal to zero\n\n * Changes\n\n + Bump org.apache.commons:commons-parent from 91 to 98\n + Bump commons-codec:commons-codec from 1.19.0 to 1.21.0\n + Bump commons.bytebuddy.version from 1.17.8 to 1.18.8\n + Bump commons-lang3 from 3.19.0 to 3.20.0\n\nChanges in apache-commons-codec:\n\n- Update to 1.22.0\n\n * New features\n\n + CODEC-326: Add Base58 support\n + Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])\n + CODEC-335: Add GitIdentifiers to compute Git blob and tree\n object identifiers\n\n * Fixed Bugs\n\n + CODEC-249: Fix Incorrect transform of CH digraph according\n Metaphone basic rules #423\n + CODEC-317: ColognePhonetic can create duplicate consecutive\n codes in some cases\n + Add boundary tests for BinaryCodec.fromAscii partial-bit\n inputs #425\n + CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc\n incorrectly states null is accepted for primitive boolean\n parameter\n\n * Changes\n\n + Bump org.apache.commons:commons-parent from 96 to 98\n\n- Update to 1.21.0\n\n * New features\n\n + CODEC-333: Add distinct Base64 decoding for standard and\n URL-safe formats\n\n * Fixed Bugs\n\n + Fix oak leaf icon references in overview.html when running\n \u0027mvn clean javadoc:javadoc\u0027\n + Fix Apache RAT plugin console warnings\n + Fix malformed Javadoc comments\n * Changes\n + Bump org.apache.commons:commons-parent from 91 to 96 #415,\n #418\n + Bump commons-io:commons-io from 2.20.0 to 2.21.0\n + Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0\n\n- Update to 1.20.0\n\n * New features\n\n + Add org.apache.commons.codec.digest.Crc16\n + Add builders to org.apache.commons.codec.digest streams and\n deprecate some old constructors\n + Add builder to Base16 streams and deprecate some old\n constructors\n + Add support for SHAKE128-256 and SHAKE256-512 to \u0027DigestUtils\u0027\n and \u0027MessageDigestAlgorithms\u0027 on Java 25 and up\n + Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and\n refactor subclasses\n\n * Changes\n\n + Deprecate all but one Base32 constructor in favor of the\n builder added in version 1.17.0\n + Deprecate all but one Base64 constructor in favor of the\n builder added in version 1.17.0\n + BaseNCodecInputStream subclasses are now type-safe to match\n its matching BaseNCodec\n + BaseNCodecOutputStream subclasses are now type-safe to match\n its matching BaseNCodec\n + Bump org.apache.commons:commons-parent from 85 to 91\n + [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to\n 3.19.0\n\n- Update to 1.19.0\n\n * New features\n\n + Add HmacUtils.hmac(Path)\n + Add HmacUtils.hmacHex(Path)\n + Add PMD check to the default Maven goal\n + Add SpotBugs check to the default Maven goal\n\n * Fixed Bugs\n\n + Remove -nouses directive from maven-bundle-plugin. OSGi\n package imports now state \u0027uses\u0027 definitions for package\n imports, this doesn\u0027t affect JPMS\n (from org.apache.commons:commons-parent:80)\n + Refactor DigestUtils.updateDigest(MessageDigest, File) to use\n NIO\n + CODEC-328: Clarify Javadoc for\n org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)\n + Precompile regular expressions in DaitchMokotoffSoundex.Rule\n + Precompile regular expressions in\n DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)\n + Precompile regular expressions in\n Lang.loadFromResource(String, Languages)\n + Precompile regular expressions in\n PhoneticEngine.encode(String, LanguageSet)\n + Precompile regular expressions in\n org.apache.commons.codec.language.bm.Rule.parse*(*)\n + Remove redundant checks for whitespace in\n DaitchMokotoffSoundex.soundex(String, boolean)\n + Javadoc typo in Base16.java #380\n + Deprecate unused constant org.apache.commons.codec.language.bm\n .Rule.ALL\n + CODEC-331: org.apache.commons.codec.language.bm.Rule\n .parsePhonemeExpr(String) adds duplicate empty phoneme when\n input ends with |\n + CODEC-331: org.apache.commons.codec.language\n .DaitchMokotoffSoundex.cleanup(String) does not remove special\n characters like punctuation\n + Fix PMD multiple UnnecessaryFullyQualifiedName in\n org.apache.commons.codec.binary.StringUtils\n + Fix PMD UnusedFormalParameter in private constructor in\n org.apache.commons.codec.binary.Base16\n + Fix PMD multiple UnnecessaryFullyQualifiedName in\n org.apache.commons.codec.digest.Blake3\n + Fix PMD UnnecessaryFullyQualifiedName in\n org.apache.commons.codec.digest.Md5Crypt\n + Fix PMD EmptyControlStatement in\n org.apache.commons.codec.language.Metaphone\n + Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary\n .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose\n internal representation by storing an externally mutable\n object into BaseNCodec$AbstractBuilder.encodeTable [org.apache\n .commons.codec.binary.BaseNCodec$AbstractBuilder] At\n BaseNCodec.java:[line 131] EI_EXPOSE_REP2\n + The method org.apache.commons.codec.binary.BaseNCodec\n .AbstractBuilder.setLineSeparator(byte...) now makes a\n defensive copy\n + Avoid unnecessary String conversion in\n org.apache.commons.codec.language.bm.PhoneticEngine\n .applyFinalRules(PhonemeBuilder, Map)\n + Fix SpotBugs [ERROR] High: Potentially dangerous use of\n non-short-circuit logic in org.apache.commons.codec.language\n .DaitchMokotoffSoundex.cleanup(String)\n [org.apache.commons.codec.language.DaitchMokotoffSoundex] At\n DaitchMokotoffSoundex.java:[line 350]\n NS_DANGEROUS_NON_SHORT_CIRCUIT\n\n * Changes\n\n + Bump org.apache.commons:commons-parent from 79 to 85 #375\n + [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0\n + [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to\n 3.18.0 #386\n\n- Update to 1.16.0:\n\n * Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.\n\n + Support java.nio.ByteBuffer in\n\n * Fixed bugs:\n\n- Don\u0027t condition the maven defines on release version, but on\n\n + Add Daitch-Mokotoff Soundex\n + Make possible to provide padding byte to BaseNCodec in constructor\n urlSafe parameter\n is mandatory to call close()\n + Add support for HMAC Message Authentication Code (MAC) digests\n + Beider Morse Phonetic Matching producing incorrect tokens\n using empty strings\n Issue: CODEC-184.\n + Fix Javadoc 1.8.0 errors\n + Fix Java 8 build Javadoc errors\n Issue: CODEC-189.\n + Deprecate Charsets Charset constants in favor of Java 7\u0027s\n java.nio.charset.StandardCharsets\n Issue: CODEC-178.\n + Update from commons-parent 34 to 35\n Issue: CODEC-190.\n\n- update to 1.8\n * Add DigestUtils.updateDigest(MessageDigest, InputStream)\n * Add Match Rating Approach (MRA) phonetic algorithm encoder\n * ColognePhonetic encoder unnecessarily creates many char arrays on every loop run\n- add junit4 to fix a build fail\n- update to 1.6, sync with Fedora\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-822",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21996-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21996-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621996-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21996-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047180.html"
},
{
"category": "self",
"summary": "SUSE Bug 1265299",
"url": "https://bugzilla.suse.com/1265299"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45205 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45205/"
}
],
"title": "Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec",
"tracking": {
"current_release_date": "2026-05-29T08:47:36Z",
"generator": {
"date": "2026-05-29T08:47:36Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21996-1",
"initial_release_date": "2026-05-29T08:47:36Z",
"revision_history": [
{
"date": "2026-05-29T08:47:36Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"product_id": "apache-commons-cli-1.11.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"product_id": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"product_id": "apache-commons-codec-1.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"product_id": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"product_id": "apache-commons-configuration2-2.15.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"product_id": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-io-2.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-io-2.22.0-160000.1.1.noarch",
"product_id": "apache-commons-io-2.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"product_id": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"product_id": "apache-commons-lang3-3.20.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"product_id": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-text-1.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-text-1.15.0-160000.1.1.noarch",
"product_id": "apache-commons-text-1.15.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"product_id": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T08:47:36Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2026-45205",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45205"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45205",
"url": "https://www.suse.com/security/cve/CVE-2026-45205"
},
{
"category": "external",
"summary": "SUSE Bug 1265299 for CVE-2026-45205",
"url": "https://bugzilla.suse.com/1265299"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T08:47:36Z",
"details": "important"
}
],
"title": "CVE-2026-45205"
}
]
}
WID-SEC-W-2026-1539
Vulnerability from csaf_certbund - Published: 2026-05-14 22:00 - Updated: 2026-06-08 22:00Summary
Apache Commons: Schwachstelle ermöglicht Denial of Service
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme: - Sonstiges
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Apache Commons <2.15.0
Apache / Commons
|
<2.15.0 |
References
6 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1539 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1539.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1539 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1539"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-337m-mw94-2v6g vom 2026-05-14",
"url": "https://github.com/advisories/GHSA-337m-mw94-2v6g"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10784-1 vom 2026-05-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BEKG645ORNRE7JDIAF3H6OJABJNCWNAA/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20841-1 vom 2026-06-01",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZX4PE7U7EUO3FASPSWEHRN3STKWX6WCN/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21996-1 vom 2026-06-08",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026642.html"
}
],
"source_lang": "en-US",
"title": "Apache Commons: Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2026-06-08T22:00:00.000+00:00",
"generator": {
"date": "2026-06-09T08:40:59.661+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1539",
"initial_release_date": "2026-05-14T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-05-14T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-05-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-06-01T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-06-08T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.15.0",
"product": {
"name": "Apache Commons \u003c2.15.0",
"product_id": "T054191"
}
},
{
"category": "product_version",
"name": "2.15.0",
"product": {
"name": "Apache Commons 2.15.0",
"product_id": "T054191-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:commons:2.15.0"
}
}
}
],
"category": "product_name",
"name": "Commons"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-45205",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T054191"
]
},
"release_date": "2026-05-14T22:00:00.000+00:00",
"title": "CVE-2026-45205"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…