Hi Cedric, Does this build still use the infamous Log4J v1. 2 jar.... I know it's actually benign due to no use of the jndi but security vulnerability scanners usually complain.
Thanks for your work on this. Best regards Warrell On Thu, 30 Nov 2023, 11:16 Cédric Damioli, <cdami...@apache.org> wrote: > Severity: important > > Affected versions: > > - Apache Cocoon 2.2.0 before 2.3.0 > > Description: > > Improper Restriction of XML External Entity Reference vulnerability in > Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. > > Users are recommended to upgrade to version 2.3.0, which fixes the issue. > > References: > > https://cocoon.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2023-49733 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org > For additional commands, e-mail: users-h...@cocoon.apache.org > >