[
https://issues.apache.org/jira/browse/NIFI-10982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Phil Lee updated NIFI-10982:
----------------------------
Description:
Update org.springframework_spring-web from 5.3.24 to 6.0.0. This will
remediate [CVE-2016-1000027|https://nvd.nist.gov/vuln/detail/CVE-2016-1000027]
Twistlock scan reported this as critical severity vulnerability in NiFi Toolkit
(which is included in NiFi version 1.19.1).
Impacted versions: <6.0.0
Discovered: 2 days ago
Published: more than 2 years ago
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code
execution (RCE) issue if used for Java deserialization of untrusted data.
Depending on how the library is implemented within a product, this issue may or
not occur, and authentication may be required. NOTE: the vendor\'s position is
that untrusted data is not an intended use case. The product\'s behavior will
not be changed because some users rely on deserialization of trusted data.
was:
Update org.springframework_spring-web from 5.3.24 to 6.0.0. This will
remediate [CVE-2016-1000027|[https://nvd.nist.gov/vuln/detail/CVE-2016-1000027]]
Twistlock scan reported this as critical severity vulnerability in NiFi Toolkit
(which is included in NiFi version 1.19.1).
Impacted versions: <6.0.0
Discovered: 2 days ago
Published: more than 2 years ago
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code
execution (RCE) issue if used for Java deserialization of untrusted data.
Depending on how the library is implemented within a product, this issue may or
not occur, and authentication may be required. NOTE: the vendor\'s position is
that untrusted data is not an intended use case. The product\'s behavior will
not be changed because some users rely on deserialization of trusted data.
> Update org.springframework_spring-web to 6.0.0
> ----------------------------------------------
>
> Key: NIFI-10982
> URL: https://issues.apache.org/jira/browse/NIFI-10982
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.19.1
> Reporter: Phil Lee
> Priority: Major
>
> Update org.springframework_spring-web from 5.3.24 to 6.0.0. This will
> remediate [CVE-2016-1000027|https://nvd.nist.gov/vuln/detail/CVE-2016-1000027]
> Twistlock scan reported this as critical severity vulnerability in NiFi
> Toolkit (which is included in NiFi version 1.19.1).
> Impacted versions: <6.0.0
> Discovered: 2 days ago
> Published: more than 2 years ago
> Pivotal Spring Framework through 5.3.16 suffers from a potential remote code
> execution (RCE) issue if used for Java deserialization of untrusted data.
> Depending on how the library is implemented within a product, this issue may
> or not occur, and authentication may be required. NOTE: the vendor\'s
> position is that untrusted data is not an intended use case. The product\'s
> behavior will not be changed because some users rely on deserialization of
> trusted data.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
