You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@calcite.apache.org by "Scott Reynolds (Jira)" <ji...@apache.org> on 2022/02/27 02:51:00 UTC

[jira] [Created] (CALCITE-5025) Update commons-io:commons-io Directory Travesal vulnerabliltiy

Scott Reynolds created CALCITE-5025:
---------------------------------------

             Summary: Update commons-io:commons-io Directory Travesal vulnerabliltiy
                 Key: CALCITE-5025
                 URL: https://issues.apache.org/jira/browse/CALCITE-5025
             Project: Calcite
          Issue Type: Bug
            Reporter: Scott Reynolds


Calcite depends commons-io:commons-io 2.4 – which was released on {{2012-06-12}} -- which can be exploited to access parent directories. In recent months, there have been a fair number of releases for this package and [Synk lists this as the only vulnerability it has seen|https://snyk.io/vuln/maven:commons-io:commons-io].

Task is simple, bump the version to 2.7 or higher -- if I may suggest just going to 2.11.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)