You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Chris Sampson (Jira)" <ji...@apache.org> on 2023/03/24 07:43:00 UTC

[jira] [Commented] (NIFI-11339) Update org.springframework_spring-core to 5.3.26 or 6.0.7

    [ https://issues.apache.org/jira/browse/NIFI-11339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17704492#comment-17704492 ] 

Chris Sampson commented on NIFI-11339:
--------------------------------------

Already done by NIFI-11320 for NiFi 2.0.0 and 1.21.0

> Update org.springframework_spring-core to 5.3.26 or 6.0.7
> ---------------------------------------------------------
>
>                 Key: NIFI-11339
>                 URL: https://issues.apache.org/jira/browse/NIFI-11339
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.20.0
>            Reporter: Phil Lee
>            Priority: Major
>
> Update org.springframework_spring-core from 5.3.24 to 5.3.26 or 6.0.7.  This will remediate [https://nvd.nist.gov/vuln/detail/CVE-2023-20861] 
> Twistlock scan reported this as high severity vulnerability in NiFi Registry version 1.20.0.
> |Impacted versions: >=5.3.0 and <5.3.26
> Discovered: less than an hour ago
> Published: 7 hours ago|
> In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)