You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I see this is already updated in the current snapshot via #3181, however I'm not sure if this warrants a rather quick release? What's your take on this @jeremylong?
From the CVE "An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container.'... I'm just not sure the attack path is there for 99.9% of the use cases for ODC...
However, I also know the zero tolerance some have for known vulnerable libraries... So I suppose we should release 6.1.3.
Describe the bug
dependency-check-core v6.1.2 contains a vulnerable dependency
org.apache.velocity:velocity-engine-core@2.2
with CVE-2020-13936Version of dependency-check used
dependency-check-core:6.1.2
The text was updated successfully, but these errors were encountered: