davidjgraph
commented
1 year ago The next release does have an update, just need a trigger for the build process and this will update.
That said, we don't believe any of our code to be vulnerable.
Closed plinss closed 1 year ago
davidjgraph
commented
1 year ago The next release does have an update, just need a trigger for the build process and this will update.
That said, we don't believe any of our code to be vulnerable.
The docker image includes an instance of Apache's commons-text-1.9.jar which has a known CVE: https://commons.apache.org/proper/commons-text/security.html
It's not clear if this CVE is relevant as it only impacts code that uses the StringSubstitutor API without sanitization, but my org's file scanners are alerting about it.