Re: Recent Apache Commons text CVE
Thanks Francesco! Colm. On Mon, Oct 24, 2022 at 4:08 PM Francesco Chicchiriccò wrote: > > Hi Colm, > that class is used exclusively for the db content bootstrap process, which > is run only on empty database. > The input is given through the Domain Content XML file (typically, > MasterContent.xml), which can be configured to be loaded either from > classpath or conf.dir. > > Nevertheless, the library was upgraded on both active git branches 2_1_X > and master, and also included in last release. > Library version can be also set for override on project based on old > releases, via maven property. > > Regards. > > Il lun 24 ott 2022, 13:41 Colm O hEigeartaigh ha > scritto: > > > Hi, > > > > Regarding the recent Apache Commons Text advisory > > (https://blogs.apache.org/security/entry/cve-2022-42889), Syncope uses > > the StringSubstitutor API here: > > > > > > https://github.com/apache/syncope/blob/7309dd303f2fe9238df4b69776f6284a87549599/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/ContentLoaderHandler.java > > > > Can you confirm please that all of the input used with > > StringSubstitutor in this class can be classified as "trusted input"? > > > > Thanks, > > > > Colm. > >
Re: Recent Apache Commons text CVE
Hi Colm, that class is used exclusively for the db content bootstrap process, which is run only on empty database. The input is given through the Domain Content XML file (typically, MasterContent.xml), which can be configured to be loaded either from classpath or conf.dir. Nevertheless, the library was upgraded on both active git branches 2_1_X and master, and also included in last release. Library version can be also set for override on project based on old releases, via maven property. Regards. Il lun 24 ott 2022, 13:41 Colm O hEigeartaigh ha scritto: > Hi, > > Regarding the recent Apache Commons Text advisory > (https://blogs.apache.org/security/entry/cve-2022-42889), Syncope uses > the StringSubstitutor API here: > > > https://github.com/apache/syncope/blob/7309dd303f2fe9238df4b69776f6284a87549599/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/ContentLoaderHandler.java > > Can you confirm please that all of the input used with > StringSubstitutor in this class can be classified as "trusted input"? > > Thanks, > > Colm. >
Recent Apache Commons text CVE
Hi, Regarding the recent Apache Commons Text advisory (https://blogs.apache.org/security/entry/cve-2022-42889), Syncope uses the StringSubstitutor API here: https://github.com/apache/syncope/blob/7309dd303f2fe9238df4b69776f6284a87549599/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/ContentLoaderHandler.java Can you confirm please that all of the input used with StringSubstitutor in this class can be classified as "trusted input"? Thanks, Colm.
