-
Notifications
You must be signed in to change notification settings - Fork 213
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is javalite-2.6-j8 affected by the vulnerability of Apache Commons Text? #1245
Comments
The JavaLite Async uses Apache Artemis, which, in turn pulls org.apache.commons:commons-text:jar:1.9. I will see to upgrade the ApacheArtemis to the latest. This should fix this issue.
|
@ZeyuLiu12 unfortunately upgrading to artemis-server 2.6.0 (Latest) did not solve the issue:
as you can see, @ZeyuLiu12 would you be so kind and report this to the ActiveMQ team here: https://activemq.apache.org/issues? |
@ipolevoy okay, thank you very much. |
A vulnerability was found in Apache Commons Text recently, javalite-2.6-j8 contains passive dependencies commons-text 1.8
Is javalite-2.6-j8 affected by that?
Details could be found in: https://seclists.org/oss-sec/2022/q4/22
GHSA-599f-7c49-w659: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
Thanks.
@ipolevoy
The text was updated successfully, but these errors were encountered: