Update org.dom4j in kettle-core and kettle-engine (v2.1.1 has critical vulnerability) #5570
Comments
mariusssi
changed the title
|
If upgrade is not possible, there is a mitigation mentioned in that CVE page, I believe like this: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
dom4j is still version 2.1.1 in both the engine and core packages. And this has a critical CVE, CVE-2020-10683 , we need to fix.
Could you please upgrade to 2.1.3 or 2.1.4 ?
Actually in pom there's no explicit version set when included, so I couldn't find where it comes from.
I did try to force the version with reuploading the changed poms and jars of core+engine in my own repo, but it didn't work, I still got 2.1.1 in it.
Affects latest 9.3 and 9.5 too: 9.3.0.6-786, 9.5.2.0-273
The text was updated successfully, but these errors were encountered: