spring cloud v2021.0.2 release for CVE-2022-42889

spring-cloud / spring-cloud-release

Spring Cloud Release Train - dependency management across a wide range of Spring Cloud projects.

http://projects.spring.io/spring-cloud

Apache License 2.0

874 stars 179 forks source link

spring cloud v2021.0.2 release for CVE-2022-42889 #251

Closed jinsenianhua-ai closed 1 year ago

jinsenianhua-ai commented 1 year ago

The dependent software Apache Commons Text 1.9 in spring cloud v2021.0.2 has a CVE-2022-42889 vulnerability. Does this affect spring cloud v2021.0.2?

ryanjbaxter commented 1 year ago

As far as we can see, only spring-cloud-contract uses this library. We will update the library in the next release. In the mean time you can specify the version of the library that is not effected by the CVE in your own POM.

jinsenianhua-ai commented 1 year ago

so I just need to upgrade the spring cloud contract in the pom file？

spencergibb commented 1 year ago

A new release won't happen for a week or so. In the meantime, upgrade Apache Commons Text

spencergibb commented 1 year ago

Spring Cloud Contract does not use the vulnerable class