> > Hi, > > > > I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2. > > > > Both contain "ognl.MemberAccess" twice and both lack > > "java.lang.ProcessBuilder". Why is that? > > Overlooked :( And cherry-picking :\ But the most important thing is > `isSequence` flag - that will block any chained expressions where > `ProcessBuilder` would be used. > > Should I drop those versions and start over? >
I thought not blocking `ProcessBuilder` enables a whole lot of vulnerabilities. Is this risk gone when `isSequence` is set? What happens when `new ProcessBuilder` is used in a parameter name? Regards, Christoph This Email was scanned by Sophos Anti Virus
