[
https://issues.apache.org/jira/browse/NIFI-12879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann resolved NIFI-12879.
-------------------------------------
Resolution: Fixed
> Upgrade Clojure to 1.11.2
> -------------------------
>
> Key: NIFI-12879
> URL: https://issues.apache.org/jira/browse/NIFI-12879
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Fix For: 2.0.0, 1.26.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The Clojure library for the Scripting extensions bundle should be upgraded to
> [1.11.2|https://clojure.org/releases/downloads#_stable_release_1_11_2_mar_8_2024]
> to mitigate CVE-2024-22871, which relates to using Java Object serialization
> to read crafted inputs.
> Clojure is an optional scripting library and the Scripting extensions do not
> perform Java Object serialization directly. For this reason, deployments of
> NiFi that do not use custom Scripting components based on Clojure are not
> directly exposed to this vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
