Released 2022-11-10
Improvements
- [Java Only] updated Jackson libraries with fix forCVE-2022-42004
- [Java Only] Updated Apache commons-text dependency to version 1.10.0 to avoid using a version withCVE-2022-42889. Note: Engine itself was not impacted by this CVE since the only use of commons-text was for escaping and unescaping via org.apache.commons.text.StringEscapeUtils, not for variable substitution.
- [Java Only] Update Jackson versions, specifically to get the latest jackson-databind that is not subject toCVE-2022-42003.Note: Engine was not vulnerable due to not using UNWRAP_SINGLE_VALUE_ARRAYS
- [Java Only] Update woodstox-core forCVE-2022-40153. Note: Engine does not appear to be vulnerable due to not validating external DTDs