Scott Reynolds created CALCITE-5025:
---------------------------------------
Summary: Update commons-io:commons-io Directory Travesal
vulnerabliltiy
Key: CALCITE-5025
URL: https://issues.apache.org/jira/browse/CALCITE-5025
Project: Calcite
Issue Type: Bug
Reporter: Scott Reynolds
Calcite depends commons-io:commons-io 2.4 – which was released on
{{2012-06-12}} -- which can be exploited to access parent directories. In
recent months, there have been a fair number of releases for this package and
[Synk lists this as the only vulnerability it has
seen|https://snyk.io/vuln/maven:commons-io:commons-io].
Task is simple, bump the version to 2.7 or higher -- if I may suggest just
going to 2.11.0.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
