Tom In the future if you're concerned or have questions about a vulnerability/potential vulnerability please follow the guidance here. https://nifi.apache.org/security.html
Here you can see what we've done for this already on main https://issues.apache.org/jira/browse/NIFI-10648 with more info in https://github.com/apache/nifi/pull/6531 It doesn't seem like it thus far but might be worth kicking out a 1.18.1 just to help people feel more comfortable. Will share more if that shapes up. Thanks Joe On Fri, Oct 21, 2022 at 10:50 AM Tom Coudyzer <[email protected]> wrote: > > Hi, > > I looked on the Apache Nifi site and linked sites to find information on how > CVE-2022-42889 impacts Apache Nifi. > > I found an issue report and merge request which indicates the library Apache > Commons Text has been upgraded to the patched version (1.10) and it will be > part of v1.19.0 > > I could however not find when this version will be released. Could that be > checked somewhere? > > Second question is if Nifi is impacted by this vulnerability because it could > be that the usage of this library in Apache Nifi does not allow it to exploit > this vulnerability. > > Thank you very much for any feedback and thank you to the open source > community for having made Apache Nifi and maintaining/improving this product. > > /Tom
