Bruno Volpato created MDEP-882:
----------------------------------
Summary: Upgrade plexus-archiver due to vulnerability
Key: MDEP-882
URL: https://issues.apache.org/jira/browse/MDEP-882
Project: Maven Dependency Plugin
Issue Type: Dependency upgrade
Reporter: Bruno Volpato
The dependency plexus-archiver 4.7.1 is within the range for
[https://nvd.nist.gov/vuln/detail/CVE-2023-37460], and is critical as it may be
a surface for remote code execution.
Dependabot opened the pull request for the bump:
[https://github.com/apache/maven-dependency-plugin/pull/330].
I'm filing this to bring up that this is critical to merge + trying to
encourage a possible release whenever possible.
Thank you!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
