Where can I find JSTL version 1.2.3 or newer?

Question

I am using jstl-1.1.2 jar in my application. Veracode shows high vulnerability for using this tag library. Veracode shows vulnerability for versions until 1.2.3. During my research I could only find version 1.2. Is there a version 1.2.3 for this jar? Or is there anything I can do to remediate this vulnerability?

What are my options? Please suggest.

My Maven dependency looks like:

<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <version>1.1.2</version>
</dependency>

Answer 1

Maven repository shows v.1.2 is available (Jun 23, 2011):

<!-- https://mvnrepository.com/artifact/javax.servlet/jstl -->
<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <version>1.2</version>
</dependency>

Also, JSTL was moved to another place, v.1.2 (May 14, 2015)

<!-- https://mvnrepository.com/artifact/javax.servlet.jsp.jstl/jstl -->
<dependency>
    <groupId>javax.servlet.jsp.jstl</groupId>
    <artifactId>jstl</artifactId>
    <version>1.2</version>
</dependency>

Similarly, Maven repository shows v.1.2.5 for taglibs is available:

<!-- https://mvnrepository.com/artifact/org.apache.taglibs/taglibs-standard-impl -->
<dependency>
    <groupId>org.apache.taglibs</groupId>
    <artifactId>taglibs-standard-impl</artifactId>
    <version>1.2.5</version>
</dependency>

So, only the taglibs can be updated to v.1.2.5 to mitigate this vulnerability:

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a <x:parse> or <x:transform> JSTL XML tag.