[
https://issues.apache.org/jira/browse/SLING-12492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904651#comment-17904651
]
Eric Norman commented on SLING-12492:
-------------------------------------
[~rombert] FYI: The PR that I merged only resolves one of the two reported
direct dependencies with security vulnerabilities.
For this to be fully fixed the org.apache.sling.api dependency also needs to be
bumped to version 2.25.4 or later to resolve the CVE-2022-32549 one.
It looks like dependabot didn't create a PR to automatically update the
org.apache.sling.api dependency? Do you know if there is some trick to get the
dependabot to rescan?
> Apache Sling Scripting JavaScript 3.1.4 is affected by vulnerabilities
> CVE-2022-32549 and CVE-2021-29425.
> ---------------------------------------------------------------------------------------------------------
>
> Key: SLING-12492
> URL: https://issues.apache.org/jira/browse/SLING-12492
> Project: Sling
> Issue Type: Improvement
> Components: Scripting
> Affects Versions: Scripting JavaScript 3.1.4
> Reporter: Scott Yuan
> Assignee: Eric Norman
> Priority: Minor
> Fix For: Scripting JavaScript 3.1.6
>
>
> The MVN Repository reports that the latest release, Apache Sling Scripting
> JavaScript 3.1.4, is affected by vulnerabilities CVE-2022-32549 and
> CVE-2021-29425 due to outdated dependencies. For more details, visit MVN
> Repository.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
