Closed jinsenianhua-ai closed 1 year ago
As far as we can see, only spring-cloud-contract uses this library. We will update the library in the next release. In the mean time you can specify the version of the library that is not effected by the CVE in your own POM.
so I just need to upgrade the spring cloud contract in the pom file?
A new release won't happen for a week or so. In the meantime, upgrade Apache Commons Text
Spring Cloud Contract does not use the vulnerable class
The dependent software Apache Commons Text 1.9 in spring cloud v2021.0.2 has a CVE-2022-42889 vulnerability. Does this affect spring cloud v2021.0.2?