fix: CVE-2024-47554 vulnerability #887
Conversation
The following vulnerability is fixed with an upgrade: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554
|
I've had this in my personal build on my laptop for maybe 2 weeks or there about. We get Snyk, DependaBot, and other SCA tools notifying us. I've been working to get out a release for a while now, because OSSRH is being shut down on 6/30, so we are racing the clock to get out a release before that happens just in case something goes wrong with the migration or afterwards. There are other updates included as well. However, since I've already have this in my local pom.xml along with other changes to plugins, etc. I am going to close this without merging it so when I push my changes, it doesn't cause any sort of merge conflict. Hang on to your hats though. We should have a new release out at least by COB Monday, 6/30. |
|
We can wait 4 days :) Beats having to push a custom artifact into our organization's artifact mirror |
|
Usually it easy to just explicitly exclude the vulnerable dependency
version in the application and the include the patched version directly. I
can assure you in the case, it won't break ESAPI. I ran our JUnit tests
with the patched version and all tests passed.
…On Thu, Jun 26, 2025, 6:07 PM Paul Bors ***@***.***> wrote:
*paulbors* left a comment (ESAPI/esapi-java-legacy#887)
<#887 (comment)>
We can wait 4 days :)
Beats having to push a custom artifact into our organization's artifact
mirror
—
Reply to this email directly, view it on GitHub
<#887 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PG2EN5ESJI474X7OQ5L3FRVKVAVCNFSM6AAAAACAG6BRX6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMJQGI4TCOJXG4>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
The following vulnerability is fixed with an upgrade:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554