java-bean-validation-extension

java-bean-validation-extension copied to clipboard

Hi,

First of all thank you for all the work and effort put on this project, much appreciated.

The package commons-beanutils version 1.9.2 has been tagged with CVE-2019-10086. I leave you some references: https://nvd.nist.gov/vuln/detail/CVE-2019-10086 https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-460111

This is a transitive dependency from commons-validator, and there is no date for fix release from the Apache team.

Could you consider setting the commons-beanutils version to 1.9.4 as this version fixes the vulnerability?

Thanks in advance, Regards.