[CXF-8687] Version 3.4.6 contains vulnerable spring version - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Not A Bug
Affects Version/s: 3.4.6
Fix Version/s: None
Component/s: Core
Labels:
None

Estimated Complexity:
Unknown

Description

Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing this CVE:

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

I do see this commit where the proper version of spring is referenced:

https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d

Any chance this will be released quickly as 3.4.7?

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Mathieu Veurman

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Apr/22 08:20

Updated:: 18/Sep/23 18:49

Resolved:: 06/Apr/22 14:54