Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 : Recommended update for Maven (SUSE-SU-2025:0719-1)

high Nessus Plugin ID 216883

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:0719-1 advisory.

 maven-dependency-analyzer was updated from version 1.13.2 to 1.15.1:

 - Key changes across versions:
 * Bug fixes and improved support of dynamic types
 * Dependency upgrades (ASM, Maven core, and notably the removal of commons-io)
 * Improved error handling by logging instead of failing
 * Improved dependency usage tracking

 maven-dependency-plugin was updated from version 3.6.0 to 3.8.1:

 - Key changes across versions:
 * Dependency upgrades on maven-dependency-analyzer and Doxia
 * Deprecated dependency:sources in favor of dependency:resolve-sources
 * Documentation improvements
 * New dependency analysis goal to check for invalid exclusions
 * New JSON output option for dependency:tree
 * Performance improvements
 * Several bug fixes addressing:
 - The handling of silent parameters
 - The display of the optional flag in the tree
 - The clarity of some error messages

 maven-doxia-sitetools was updated from version 1.11.1 to 2.0.0:

 - Key changes across versions:
 * New features:
 - Passing the input filename to the parser
 - Adding a timezone field to the site descriptor
 - Configuring parsers per markup
 * Improvements:
 - Clarifying site descriptor properties
 - Requiring a skin if a site descriptor (site.xml) has been provided
 - Optimization of resource handling
 - Overhauled locale support
 - Refinined menu item display
 - Use of Maven Resolver for artifact resolution
 - Enhanced Velocity context population
 - Automating anchor creation
 * Internal changes:
 - Migration from Plexus to Sisu
 - Upgraded to Java 8
 - Removal of deprecated components and features (such as Maven 1.x support, Google-related properties)
 - Simplified the site model
 - Improved the DocumentRenderer interface/DocumentRenderingContext class API
 * Several bug fixes addressing:
 - The Plexus to Sisu migration
 - Decoration model injection
 - Anchor creation
 - XML character escaping
 - Handling of 0-byte site descriptors

 maven-doxia was updated from version 1.12.0 to 2.0.0:

 - Key changes across versions:
 * Improved HTML5 Support:
 + Obsolete attributes and elements were removed + CSS styles are now used for styling + XHTML5 is now the default HTML implementation, and XHTML(4) is deprecated
 * Improved Markdown Support:
 + A new Markdown sink allows converting content to Markdown.
 + Support for various Markdown features like blockquotes, footnotes, and metadata has been added
 * General Improvements:
 + Dependencies were updated + Doxia was upgraded to Java 8 + Logging and Doxia ID generation were streamlined + Migration from Plexus to Sisu + Removed deprecated modules and code
 * Several bug fixes addressing:
 + HTML5 incorrect output such as tables, styling and missing or improperly handled attributes + Markdown formatting issues + Issues with plexus migration + Incorrect generation of unique IDs + Incorrect anchor generation for document titles + Ignored element classes

 maven-invoker-plugin was updated from version 3.2.2 to 3.8.1:

 - Key changes across versions:
 * Commons-lang3 was removed
 * Custom Maven executables, external POM files, and more CLI options are now supported
 * Deprecated code was cleaned up
 * Doxia was updated, improving HTML generation and adding Markdown support
 * Groovy was updated, adding support for JDK 19
 * Improved Reporting and Time Handling
 * Enhanced syntax support for invoker properties and Maven options
 * Java 8 is now the minimum supported version
 * Maven 3.6.3 is now the minimum supported version
 * Several dependencies were updated or removed
 * Snapshot update behavior can be controlled
 * Several bug fixes addressing issues with:
 + Dependency resolution + Environment variables + File handling + Report generation + Threading

 maven-invoker was updated from version 3.1.0 to 3.3.0:

 - Key changes across versions:
 * Added several CLI options.
 * Added support to disable snapshot updates.
 * Added test for inherited environment
 * Custom Maven executables
 * Deprecated code was removed
 * External POM files
 * Fixed issues with builder IDs
 * Improved timeout handling
 * Java 8 is now a requirement
 * Tests were migrated to JUnit 5

 maven-javadoc-plugin was updated from version 3.6.0 to 3.11.1:

 - Key changes across versions:
 * Addressed test cleanup and inconsistent default value
 * Automatic release detection for older JDKs
 * Clarified documentation
 * Dependency upgrades of org.codehaus.plexus:plexus-java and Doxia
 * Deprecated the 'old' parameter
 * Improvements include handling of Java 12+ links, user settings with invoker, and default author value.
 * Simplified integration tests.
 * Upgraded maven-plugin parent
 * Various bug fixes related to:
 + Toolchains issues + Empty JAR creation + JDK 10 compatibility + Reactor build failures + Unit test issues + Null pointer exception + Issues with skipped reports + Stale file detection + Log4j dependency dowload + Test repository creation

 maven-parent was updated from version 40 to 43:

 - Key changes across versions:
 * Potentially breaking changes:
 + Removed dependency on `maven-plugin-annotations` to better support Maven 4 plugins + Removed `checkstyle.violation.ignore`
 * Improved Java 21 support
 * Empty Surefire and PMD reports are now skipped
 * Disabled annotation processing by compiler
 * Various code cleanup and project restructuring tasks

 maven-plugin-tools was updated from version 3.13.0 to 3.15.1:

 - Key changes across versions:
 * Doxia and Velocity Engine upgrades
 * New report-no-fork goal 'report-no-fork' which will not invoke process-classes
 * Deprecation of o.a.m.plugins.annotations.Component
 * Improved Maven 3 and Maven 4 support

 maven-reporting-api was updated from version 3.1.1 to 4.0.0:

 - Key changes across versions:
 * API: Allow MavenReportRenderer.render() and MavenReport.canGenerateReport() to throw exceptions
 * Require locales to be non-null
 * Improve the MavenReport interface and AbstractMavenReport class
 * Removed unused default-report.xml file

 maven-reporting-implementation was updated from version 3.2.0 to 4.0.0:

 - Key changes across versions include:
 * Addressed issues with duplicate calls to canGenerateReport()
 * New features such markup output support, flexible section handling and verbatim source rendering
 * Numerous improvements to skinning, rendering, parameter handling, timestamp population and logging
 * Upgrade to Java 8

 maven-surefire was updated from version 3.2.5 to 3.5.2:

 - Key changes across versions include:
 * Addressed issues with JUnit5 test reporting, serialization, classpath handling and compatibility with newer JDKs.
 * Refined handling of system properties, commons-io usage, parallel test execution and report generation.
 * Updated Doxia and commons-compress dependencies
 * Improved documentation, including FAQ fixes

 plexus-velocity was updated to version 2.1.0:

 - Upgraded Velocity Engine to 2.3
 - Moved to JUnit5

 velocity-engine:

 - New package velocity-engine-core implemented at version 2.4

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?49687fec

https://www.suse.com/security/cve/CVE-2020-13936

Plugin Details

Severity: High

ID: 216883

File Name: suse_SU-2025-0719-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/27/2025

Updated: 2/27/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2020-13936

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:maven-doxia-core, p-cpe:/a:novell:suse_linux:maven-doxia-module-apt, p-cpe:/a:novell:suse_linux:maven-doxia-module-xhtml5, p-cpe:/a:novell:suse_linux:maven-surefire-provider-testng, p-cpe:/a:novell:suse_linux:plexus-velocity, p-cpe:/a:novell:suse_linux:maven-doxia-module-fml, p-cpe:/a:novell:suse_linux:maven-doxia-module-xdoc, p-cpe:/a:novell:suse_linux:maven-reporting-api, p-cpe:/a:novell:suse_linux:maven-surefire-plugin, p-cpe:/a:novell:suse_linux:velocity-engine-core, p-cpe:/a:novell:suse_linux:maven-surefire-provider-junit, p-cpe:/a:novell:suse_linux:maven-javadoc-plugin, p-cpe:/a:novell:suse_linux:maven-plugin-annotations, p-cpe:/a:novell:suse_linux:maven-surefire, p-cpe:/a:novell:suse_linux:maven-doxia-sink-api, p-cpe:/a:novell:suse_linux:maven-invoker, p-cpe:/a:novell:suse_linux:maven-doxia-sitetools, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/26/2025

Vulnerability Publication Date: 3/10/2021

Reference Information

CVE: CVE-2020-13936

SuSE: SUSE-SU-2025:0719-1