[jira] [Created] (CXF-8687) Version 3.4.6 contains vulnerable spring version

Mathieu Veurman (Jira) Tue, 05 Apr 2022 01:21:05 -0700

Mathieu Veurman created CXF-8687:
------------------------------------

             Summary: Version 3.4.6 contains vulnerable spring version
                 Key: CXF-8687
                 URL: https://issues.apache.org/jira/browse/CXF-8687
             Project: CXF
          Issue Type: Bug
          Components: Core
    Affects Versions: 3.4.6
            Reporter: Mathieu Veurman



Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing 
this CVE:

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

 

I do see this commit where the proper version of spring is referenced:

[https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d]

 

Any chance this will be released quickly as 3.4.7?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (CXF-8687) Version 3.4.6 contains vulnerable spring version

Reply via email to