Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Not A Bug
-
3.4.6
-
None
-
None
-
Unknown
Description
Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing this CVE:
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
I do see this commit where the proper version of spring is referenced:
https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d
Any chance this will be released quickly as 3.4.7?