You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Phil Lee (Jira)" <ji...@apache.org> on 2022/12/14 18:04:00 UTC

[jira] [Created] (NIFI-10982) Update org.springframework_spring-web

Phil Lee created NIFI-10982:
-------------------------------

             Summary: Update org.springframework_spring-web
                 Key: NIFI-10982
                 URL: https://issues.apache.org/jira/browse/NIFI-10982
             Project: Apache NiFi
          Issue Type: Improvement
    Affects Versions: 1.19.1
            Reporter: Phil Lee


Update org.springframework_spring-web from 5.3.24 to 6.0.0.  This will remediate [CVE-2016-1000027|[https://nvd.nist.gov/vuln/detail/CVE-2016-1000027]]

Twistlock scan reported this as critical severity vulnerability in NiFi Toolkit (which is included in NiFi version 1.19.1).
Impacted versions: <6.0.0
Discovered: 2 days ago
Published: more than 2 years ago
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor\'s position is that untrusted data is not an intended use case. The product\'s behavior will not be changed because some users rely on deserialization of trusted data.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)