Hi Denis, We will take a look. But note that "cayenne-velocity" is a separate optional module. You don't have to include it in your app unless you are using advanced SQL template scripting. Most SQLSelect / SQLExec queries work fine without it and still allow basic scripting.
Andrus > On May 5, 2025, at 4:18 AM, LAMARCHE Denis (BPCE-IT) > <denis.lamar...@bpce-it.fr.INVALID> wrote: > > Hello, > > I have got some problems to obtain a validation to go live in Production with > an image because Twistlock report a critical alerte (CVSS 7,5) CVE-2024-47554 > in Apache Cayenne. > https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1<https://stackoverflow.com/> > https://nvd.nist.gov/vuln/detail/CVE-2024-47554<https://stackoverflow.com/> > > Actually, Apache Cayenne 4.2.2 use velocity-engine-core 2.3, which references > an affected version of commons.io library (2.8.0). > Is it planned to fix this CVE by including the version 2.4 or 2.4.1 of the > velocity-engine-core library in the next release of Apache Cayenne? > > If not, how can we push this demand? > > Is it possible to add an evolution for the inclusion of velocity-engine-core > 2.4 or 2.4.1 in the next release of Apache Cayenne so as not to have the > CVE-2024-47554 vulnerability > > Best regards, > > Denis LAMARCHE > ------------------------------------------------------------------------------ > L’intégrité de ce message n’étant pas assurée sur Internet, BPCE-IT ne peut > être tenu responsable de son contenu. Si vous n’êtes pas destinataire de ce > message, merci de le détruire et d’avertir l’expéditeur. > The integrity of this message cannot be guaranteed on the Internet. BPCE-IT > cannot therefore be considered responsible for the contents. If you are not > the intended recipient of this message, then please delete it and notify the > sender. > ------------------------------------------------------------------------------
