[
https://issues.apache.org/jira/browse/NIFI-10184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18063362#comment-18063362
]
Daniel Stieglitz commented on NIFI-10184:
-----------------------------------------
[~exceptionfactory] In NIFI 2.8 we are using antlr-runtime 3.5.3 which
apparently still has the aforementioned CVE. Is there a reason we are staying
on this older version?
> Update Antlr-Runtime To 4.X
> ---------------------------
>
> Key: NIFI-10184
> URL: https://issues.apache.org/jira/browse/NIFI-10184
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.15.3, 1.16.1, 1.16.2, 1.16.3
> Reporter: Mike R
> Priority: Major
>
> The current version of nifi-record-serialization-services includes a compile
> dependency of antlr-runtime of 3.5.2. The antlr-runtime of 3.5.2 has a
> vulnerable dependency of a vulnerable version of junit 4.10, which has
> CVE-2020-15250 filed against it. If possible, would updating to version 4.X
> work?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
