description from the CVE: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
In the context of a Maven build, executing arbitrary code does not even require Velocity... of course, while doing a release, upgrading Velocity is something to do Le mercredi 18 mai 2022, 05:37:44 CEST Maxim Solodovnik a écrit : > BTW org.apache.velocity:velocity used in 3.1.2 is reported as > vulnerable here: > https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-checkstyle > -plugin/3.1.2 > On Fri, 22 Apr 2022 at 10:42, Maxim Solodovnik <solomax...@gmail.com> wrote: > > 3.2.0-SNAPSHOT works as expected > > at least "Instanceof pattern matching" seems to pass checkstyle :) > > > > On Thu, 21 Apr 2022 at 19:21, Falko Modler <f.mod...@gmx.net> wrote: > > > Hi Maxim, > > > > > > it works for me when adding checkstyle 9.3 (or other recent versions) as > > > a plugin dependency, overriding the one that is shipped by the plugin. > > > > This might be the option, but this way I should do manual updates all > > the time :( > > maven-checkstyle-plugin was released 2021-01-23 (more than a year ago) > > IMO it's time to release :) > > > > > I never wait for plugin updates to update checkstyle, because checkstlye > > > is updated way more often than the plugin. > > > > > > Cheers, > > > > > > Falko > > > > > > Am 21.04.2022 um 11:51 schrieb Maxim Solodovnik: > > > > Hello All, > > > > > > > > I would like to switch to the latest Java17 LTS > > > > But it seems latest maven-checkstyle-plugin doesn't work with new > > > > java17 features :( > > > > > > > > Maybe it would be possible to release new version? > > > > > > > > Thanks in advance :) > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > > For additional commands, e-mail: users-h...@maven.apache.org > > > > -- > > Best regards, > > Maxim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
