pentaho-reporting icon indicating copy to clipboard operation
pentaho-reporting copied to clipboard

Published 20 hours ago verified publisher icon pentaho

Apache Poi Vulnerability

Open MarijanaTR opened this issue 2 years ago • 3 comments

Apache poi library has 4 direct known high vulnerabilities apachepoi Can the version be updated to at least 3.17 or higher?

MarijanaTR avatar Feb 24 '23 13:02 MarijanaTR

@MarijanaTR - Apache POI was upgraded to version 4.1.1 more than 2 years ago. Can you give us more details on where you are seeing a 3.X version?

https://github.com/pentaho/pentaho-reporting/blame/b74afabb970d933f4d4b8dd8094d60087b436443/pom.xml#L45

lucboudreau avatar Feb 24 '23 14:02 lucboudreau

@MarijanaTR and @lucboudreau: Apache POI was upgraded to 3.17 with pentaho-reporting#1108 and this was for 8.1 GA... We're using 4.1.1 since 9.2 GA.

smmribeiro avatar Mar 02 '23 14:03 smmribeiro

Hi, I think @MarijanaTR wanted to say POI 5.17 at least. Can you upgrade to the last POI version? (25 November 2023 - POI 5.2.5 available)

tiago-s-vieira-alb avatar Dec 06 '23 16:12 tiago-s-vieira-alb