update bundled taglib standard version inside jstl 1.2

Question

In my project I am using

  <dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <version>1.2</version>
    <type>jar</type>
  </dependency>

but after our security team evaluated the jars it found out that the bundled org.apache.taglibs:standard jar is version 1.2.1 which has a security vulnerability (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254). Apache has already fixed it in version 1.2.3 (https://tomcat.apache.org/taglibs/standard/).

In addition, META-INF/c.tld shows that it is actually JSTL version 1.1 instead of 1.2 (see JSTL version 1.2 declared but 1.1 delivered from Maven Repository). Maybe this error is connected to the wrong taglibs standard version?

Nevertheless, what should I do to update the bundled taglibs standard version inside jstl?

Answer 1

Instead of the whole jstl-1.2.jar download the three latest versions of the needed components:

<!-- https://mvnrepository.com/artifact/org.apache.taglibs/taglibs-standard-spec -->
<dependency>
    <groupId>org.apache.taglibs</groupId>
    <artifactId>taglibs-standard-spec</artifactId>
    <version>1.2.5</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.taglibs/taglibs-standard-impl -->
<dependency>
    <groupId>org.apache.taglibs</groupId>
    <artifactId>taglibs-standard-impl</artifactId>
    <version>1.2.5</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.taglibs/taglibs-standard-jstlel -->
<dependency>
    <groupId>org.apache.taglibs</groupId>
    <artifactId>taglibs-standard-jstlel</artifactId>
    <version>1.2.5</version>
</dependency>