Git Changelog uses apache-commons-text 1.6, which has a vulnerability
Closed this issue · 1 comments
johnswu commented
Jenkins and plugins versions report
Environment
Paste the output here
What Operating System are you using (both controller, and any agents involved in the problem)?
Windows 2012 Server
Reproduction steps
From Wizscan, this plugin has handlebars-4.3.0.jar, which exposes the Apache Commons Text security issue:
https://www.imperva.com/blog/apache-commons-text-vulnerability-cve-2022-42889/
Expected Results
Use apache-commons-text version 1.10.0.
Actual Results
Apache-commons-text version is 1.6.0
Anything else?
No response
tomasbjerre commented
Stepping handlebars library to 4.3.1 and using that in git-changelog-lib.
Releasing that as 1.168.4 and using it in this plugin as 3.24.
(Relates to jknack/handlebars.java#1009)