Git Changelog uses apache-commons-text 1.6, which has a vulnerability

Question

Git Changelog uses apache-commons-text 1.6, which has a vulnerability

Closed this issue 2 years ago · 1 comments

Jenkins and plugins versions report

Environment

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows 2012 Server

Reproduction steps

From Wizscan, this plugin has handlebars-4.3.0.jar, which exposes the Apache Commons Text security issue:

https://www.imperva.com/blog/apache-commons-text-vulnerability-cve-2022-42889/

Expected Results

Use apache-commons-text version 1.10.0.

Actual Results

Apache-commons-text version is 1.6.0

Anything else?

No response

Answer 1 · 2022-10-24T17:47:14.000Z

Stepping handlebars library to 4.3.1 and using that in git-changelog-lib.
Releasing that as 1.168.4 and using it in this plugin as 3.24.
(Relates to jknack/handlebars.java#1009)