Hi,

Jacoco depends on maven Reporting Impl 2.1, which depends on Doxia 1.1.2, which depends on Xerces 2.8.1, which has this CVE:

CVE-2012-0881: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

This is classified as a HIGH severity vulnerability.

Upgrading to Maven Reporting Impl 3.0 resolves this issue, as 3.0 uses Doxia 1.7, which has no dependency on Xerces at all.

Thanks.