Skip to content

[GHSA-6hgm-866r-3cjv] Insecure Deserialization in Apache Commons Collection#7531

Closed
joshbressers wants to merge 1 commit intojoshbressers/advisory-improvement-7531from
joshbressers-GHSA-6hgm-866r-3cjv
Closed

[GHSA-6hgm-866r-3cjv] Insecure Deserialization in Apache Commons Collection#7531
joshbressers wants to merge 1 commit intojoshbressers/advisory-improvement-7531from
joshbressers-GHSA-6hgm-866r-3cjv

Conversation

@joshbressers
Copy link
Copy Markdown

@joshbressers joshbressers commented Apr 28, 2026

Updates

  • Affected products

Comments
This removes overlap and simplifies the versions affected

Copilot AI review requested due to automatic review settings April 28, 2026 17:13
@github-actions github-actions Bot changed the base branch from main to joshbressers/advisory-improvement-7531 April 28, 2026 17:14
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the GHSA advisory metadata for GHSA-6hgm-866r-3cjv (Apache Commons Collections insecure deserialization) by narrowing/cleaning affected package/version ranges and removing overlap.

Changes:

  • Updated the advisory modified timestamp.
  • Narrowed the affected range start from 0 to 4.0 for the remaining Maven package entry.
  • Removed additional Maven package coordinates previously listed as affected.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
@@ -47,63 +47,6 @@
]
}
]
Copy link

Copilot AI Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change removes multiple affected package coordinates (e.g., collections-generic and ServiceMix bundle GAVs). If those artifacts are still published/used independently, dropping them will stop downstream tooling from flagging vulnerable dependencies for those coordinates. If the intent is only to de-duplicate overlapping coverage, consider retaining these affected entries (with corrected/non-overlapping ranges) or documenting why they’re safe to remove (e.g., never shipped within the vulnerable range, aliases to the remaining coordinate, or superseded/retracted artifacts).

Suggested change
]
]
},
{
"package": {
"ecosystem": "Maven",
"name": "collections-generic:collections-generic"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2_1"
}
]
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections4"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "4.0_1"
},
{
"fixed": "4.1_1"
}
]
}
]

Copilot uses AI. Check for mistakes.
@github-actions github-actions Bot deleted the joshbressers-GHSA-6hgm-866r-3cjv branch April 28, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshbressers