[
https://issues.apache.org/jira/browse/NIFI-11339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-11339:
------------------------------------
Summary: Update Spring Core to 5.3.26 (was: Update
org.springframework_spring-core to 5.3.26 or 6.0.7)
> Update Spring Core to 5.3.26
> ----------------------------
>
> Key: NIFI-11339
> URL: https://issues.apache.org/jira/browse/NIFI-11339
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.20.0
> Reporter: Phil Lee
> Priority: Major
> Fix For: 2.0.0, 1.21.0
>
>
> Update org.springframework_spring-core from 5.3.24 to 5.3.26 or 6.0.7. This
> will remediate [https://nvd.nist.gov/vuln/detail/CVE-2023-20861]
> Twistlock scan reported this as high severity vulnerability in NiFi Registry
> version 1.20.0.
> |Impacted versions: >=5.3.0 and <5.3.26
> Discovered: less than an hour ago
> Published: 7 hours ago|
> In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE -
> 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to
> provide a specially crafted SpEL expression that may cause a
> denial-of-service (DoS) condition.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
