This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-text.git
The following commit(s) were added to refs/heads/master by this push:
new c0599f43 fix: Replace Text -> Lang in VEX description
c0599f43 is described below
commit c0599f43b6a84e8ae7e1cea10e082ac2657fb647
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Mon Aug 4 14:31:22 2025 +0200
fix: Replace Text -> Lang in VEX description
The vulnerability is exploitable if a vulnerable Commons Lang is present,
not Commons Text.
---
src/conf/security/VEX.cyclonedx.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf/security/VEX.cyclonedx.xml
b/src/conf/security/VEX.cyclonedx.xml
index 9c0875aa..dcad061f 100644
--- a/src/conf/security/VEX.cyclonedx.xml
+++ b/src/conf/security/VEX.cyclonedx.xml
@@ -67,7 +67,7 @@
<detail>
CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5
and later, but only when all the following conditions are met:
- * The consuming project includes a vulnerable version of Commons
Text on the classpath.
+ * The consuming project includes a vulnerable version of Commons
Lang on the classpath.
As of version `1.14.1`, Commons Text no longer references a
vulnerable version of the `commons-lang3` library in its POM file.
* Unvalidated or unsanitized user input is passed to the
`StringSubstitutor` or `StringLookup` classes.
* An interpolator lookup created via
`StringLookupFactory.interpolatorLookup()` is used.
