Vulnerabilities in dependency commons-beanutils:commons-beanutils 1.9.3 #291
Comments
|
Hi @sqlguard, we'll try to get a patch release out next week. |
|
Thanks @fbiville! |
conker84
added a commit
to conker84/neo4j-jdbc
that referenced
this issue
Feb 15, 2022
…ons-beanutils 1.9.3
conker84
added a commit
to conker84/neo4j-jdbc
that referenced
this issue
Feb 15, 2022
…ons-beanutils 1.9.3
|
@sqlguard the fix is merged, we'll perform a release today or tomorrow. We've now configured dependabot, so we'll hopefully be a bit more proactive. |
|
@sqlguard 4.0.5 is out (Maven Central should be up-to-date in a couple of hours) https://github.com/neo4j-contrib/neo4j-jdbc/releases/tag/4.0.5 |
|
Great! Thanks a lot! |
|
Does this support neo4j version 4.3.14? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
The latest Neo4j JDBC driver contains the commons-beanutils:commons-beanutils:1.9.3 package, which have known vulnerability described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-10086
CVE: CVE-2019-10086
Details: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Base Score: HIGH (7.3)
Do you have any plan to get it updated soon?
Thanks!
The text was updated successfully, but these errors were encountered: