Vulnerability detected with A2A client version 4.12.3. Please see attached for NexuIQ scan results for more details, but it is due to commons-net.jar.
Please look into this asap, we need to proceed as the vulnerability is holding up projects/new builds.
Release : 4.x
Client's vulnerability scanner flagged this jar file. CVE-2021-37533
After a review of the A2A code base, development determined that commons-net.jar is not a required file for any base A2A functionality and this jar file will be removed from any future releases of the A2A agent (starting with PAM 4.1.2). There is no patch required for running any previous since that jar file can simply be deleted without any restart of any services.
Linux/Unix
[root@jXXXX ]# find <Your A2A install folder> -name commons-net*.jar
/opt/catech/cspmclient_v.4.12.3/lib/commons-net-3.3.jar
[root@jXXXX ]# rm /opt/catech/cspmclient_v.4.12.3/lib/commons-net-3.3.jar
Windows
Delete the jar file using windows manager (Default location C:\cspm\cloakware\cspmclient\lib)