High vulnerability in Thymeleaf through 3.1.1.RELEASE

ultraq / thymeleaf-layout-dialect

A dialect for Thymeleaf that lets you build layouts and reusable templates in order to improve code reuse

https://ultraq.github.io/thymeleaf-layout-dialect/

Apache License 2.0

718 stars 113 forks source link

High vulnerability in Thymeleaf through 3.1.1.RELEASE #239

Closed nunocarvalhog closed 1 year ago

nunocarvalhog commented 1 year ago

Hello 👋

CVE-2023-38286

Currently thymeleaf-layout-dialect:3.2.1 is exposed because it uses the thymeleaf/3.0.15.RELEASE.

Could you please recover the https://github.com/ultraq/thymeleaf-layout-dialect/issues/228 to use a patched Thymeleaf version?

Thanks!

ultraq commented 1 year ago

Hey there, thanks for the report. I can make a release of the layout dialect that has a dependency on the latest version of Thymeleaf, and in the interim anybody can manually specify the newer version of Thymeleaf if they need (I believe a lot of people do this anyway since they select Thymeleaf first or use the version that's included in Spring Boot, before adding the layout dialect) as the layout dialect works with both 3.0 and 3.1 versions of Thymeleaf.

ultraq commented 1 year ago

I've just released 3.3.0 (should show up on Maven Central in a bit) which now has a dependency on Thymeleaf 3.1.2.RELEASE