Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

CVE-2022-42889 in latest version #888

Open
jaydeepkhandelwal opened this issue Nov 2, 2022 · 3 comments
Open

CVE-2022-42889 in latest version #888

jaydeepkhandelwal opened this issue Nov 2, 2022 · 3 comments
Labels
bug

Comments

@jaydeepkhandelwal
Copy link

Describe the bug
commons-text (>= 1.5 and <= 1.9) has been flagged by CVE-2022-42889. It affects graphql-spring-boot as its latest version still contains vulnerable version of commons-text (1.9).

To Reproduce
https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Expected behavior
Upgrade commons-text to 1.10.0 or greater.
@steam0
Copy link

steam0 commented Nov 21, 2022

When will dere be a bugfix release of this package that resolves this bug? Is there a realase in the works, or will this take a long time?

@aembleton
Copy link

Looks like a fix has been made but a release hasn't been created here: 69dade8

It would be good to make point releases with this fix for older versions such as 12.0.0 so that a major upgrade doesn't need to take place.

@oliemansm
Copy link
Member

Just published release 14.1.0: https://github.com/graphql-java-kickstart/graphql-spring-boot/releases/tag/v14.1.0.

Will check if I can setup a pipeline to release a fix for 12.0.0. Although upgrading from v12.0.0 to the latest shouldn't really cause any major issues.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aembleton @jaydeepkhandelwal @steam0 @oliemansm