[ACS AEM Common 6.3.8] Vulnerabilities Regarding Logback and Nekohtml.

[glo10847]

Required Information

• AEM Version/SP - 6.5.17
• ACS AEM Commons Version: 6.3.8

Expected Behavior

No vulnerabilities regarding logback and nekohtml

Actual Behavior

Vulnerabilities found related to Logback and nekohtml in ACS AEM Commons 6.3.8

Steps to Reproduce

Customer reported vulnerabilities regarding Logback and Nekohtml. They are using AEM ACS Common OOTB Bundles. Customer ran the scan using SYNK tool.
Adobe ACS AEM Commons uses logback version 1.2.3. But as per snyk vulnerability dashboard it should upgraded to 1.2.13 or higher version due to which we are seeing above mentioned snyk vulnerabilities in the synk dashboard.

Refer the attached Doc for more.

For vulnerabilities regarding Nekohtml , please refer the attached document.
Snyk Issues (3).docx

synk issues from acs-commons.docx

[ravrockss]

The vulnerability mentioned with logback package is still present in ACS Commons bundle 6.6.0
One pseudo fix is to exclude logback package from the codebase where acs-aem-commons-bundle is being included as a dependency.