+1 Based on: The risk is low. Avoids false positives in automated vulnerability scans.
On Fri, Apr 10, 2020 at 12:33 PM Dick Cavender <dcaven...@pivotal.io> wrote: > +1 > > On Fri, Apr 10, 2020 at 11:16 AM Owen Nichols <onich...@pivotal.io> wrote: > > > Recently it’s been noticed that spring-core-5.2.1.RELEASE.jar is getting > > flagged for “high" security vulnerability CVE-2020-5398. > > > > Analysis shows that Geode does not use Spring in a manner that would > > expose this vulnerability (none of our REST apis or pulse set a > > Content-Disposition header derived from user-supplied input). > > > > The risk of bringing GEODE-7970 is low. This patch update from 5.2.1 to > > 5.2.5 brings bug fixes only. This exact version was on develop from Apr > 8 > > - Apr 10 & passed all tests. > > > > This fix is critical to avoid false positives in automated vulnerability > > scans. > > > > -Owen >