+1 On Fri, Apr 10, 2020 at 11:16 AM Owen Nichols <onich...@pivotal.io> wrote:
> Recently it’s been noticed that spring-core-5.2.1.RELEASE.jar is getting > flagged for “high" security vulnerability CVE-2020-5398. > > Analysis shows that Geode does not use Spring in a manner that would > expose this vulnerability (none of our REST apis or pulse set a > Content-Disposition header derived from user-supplied input). > > The risk of bringing GEODE-7970 is low. This patch update from 5.2.1 to > 5.2.5 brings bug fixes only. This exact version was on develop from Apr 8 > - Apr 10 & passed all tests. > > This fix is critical to avoid false positives in automated vulnerability > scans. > > -Owen
