Hi Bernhard, Neethi 3.2.2 should be fixed as part of CXF 4.2.2, which is under vote and will be released shortly.
https://github.com/apache/cxf/commit/e24d2c4627dcd727e4cbc4f5b6a49c918f4563dc Colm. On Wed, Jun 10, 2026 at 2:08 PM Bernhard Schuhmann < [email protected]> wrote: > Hello, > > noticed that Apache Neethi is still at vulnerable 3.2.1 even though I had > expected it should be at 3.2.2 in our environment with CXF 4.2.1. > > Found the following chain of dependencies: > org.apache.cxf:cxf-rt-ws-security:4.2.1/2 depends on > org.apache.wss4j:wss4j-policy:4.0.1 which still depends on > org.apache.neethi:neethi:3.2.1 > > However, org.apache.cxf:cxf-rt-ws-policy:4.2.1/2 for instance depends on > org.apache.neethi:neethi:3.2.2 as expected. > > Not sure if it’s our specific environment or a general problem - any > additional information I can provide? > > I see the vote for 4.2.2 is already open or even closed - is there a > chance to get this still fixed for 4.2.2 if a general issue or would this > have to wait until 4.2.3? Would I need to create a ticket for that? > > Thanks in advance! > > Bernhard > [image: Jedox Gartner Magic Quadrant Leader] > <https://www.jedox.com/de/ressourcen/analyst-gartner-magic-quadrant-finanzplanungssoftware/?utm_campaign=Analyst%20Reports&utm_source=signature&utm_medium=email_marketing&utm_content=GartnerMQ2025> > > Bernhard Schuhmann > Principal Software Engineer > Jedox > Bismarckallee 7a > 79098 > Freiburg im Breisgau > Germany > Jedox GmbH > Chief Executive Officer (Geschäftsführer): Florian Winterstein > > Place of Business: Freiburg i. Br. | Registry Court: Amtsgericht Freiburg | > HRB 723467 > > [TM.V06112018] >
