Closed plinss closed 1 year ago
The docker image includes an instance of Apache's commons-text-1.9.jar which has a known CVE: https://commons.apache.org/proper/commons-text/security.html
It's not clear if this CVE is relevant as it only impacts code that uses the StringSubstitutor API without sanitization, but my org's file scanners are alerting about it.
The next release does have an update, just need a trigger for the build process and this will update.
That said, we don't believe any of our code to be vulnerable.
The docker image includes an instance of Apache's commons-text-1.9.jar which has a known CVE: https://commons.apache.org/proper/commons-text/security.html
It's not clear if this CVE is relevant as it only impacts code that uses the StringSubstitutor API without sanitization, but my org's file scanners are alerting about it.