search

flightstats / hub

fault tolerant, highly available service for data storage and distribution
http://www.flightstats.com
MIT License
103 stars 35 forks source link

Bump version of apache.commons to 1.10.0 in response to CVE-2022-42889 #1305

Closed lkemmerer closed 1 year ago

lkemmerer commented 1 year ago

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Per Apache, our code shouldn't be affected:

On 2022-10-13, the Apache Commons Text team disclosed CVE-2022-42889 . Key takeaways:

  • If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
  • If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.
lkemmerer commented 1 year ago

confirmed with Joe that he meant to sign off on this. 😄