Vunerability for commons-fileupload version 1.3 (CVE-2014-0050)

[raux]

I apologize for the spam. I am now opening my email as an issue. Please find my email below. We want to use this experience to help us understand the factors involved in bumping a library version.

My name is Raula Kula, a research assistant prof at Osaka University, Japan. Currently I am studying the maintenance of Maven Libraries. I am currently focused on OSS vulnerabilities and the varying reasons for library migration.

As a part of my study I particularity focused on the commons-fileupload library. http://commons.apache.org/proper/commons-fileupload/ and the CVE-2014-0050 https://www.cvedetails.com/cve/CVE-2014-0050/, announced on 2014-04-01, which affects versions up to 1.3.

We noticed that your project on Github is still configured to depend on a vulnerable version of fileupload (1.2.2) at https://github.com/ippontech/tatami/blob/master/pom.xml.

We understand that there are many reasons for not migrating, thus we be appreciate if you could simply detail the following:

1. Were you aware of the vulnerability? If so, then how long ago.
2. What are some factors that influence you not to update.

Also feel free to detail any other information to help us understand your decision. Again, thank you for taking your time off your busy schedule and hope to hear from you soon.

Sincerely,
Raula