A new vulnerability was discovered recently in Spring MVC and Spring WebFlux and published on the the Spring official site.
Since migration-center Jobserver is not running in a Tomcat and it’s not packaged in a traditional WAR it may not be affected by this vulnerability. Nevertheless, since this vulnerability might be exploited in different ways, our development team started working to upgrade the affected Spring dependencies to the latest version that is not affected by this vulnerability. An update package will be available in the next days.
The list of adapters that use spring-core and spring-beans jars (directly affected by the vulnerability) are:
- Database Scanner
- Sharepoint Online Scanner
- Veeva Scanner
- Generis Cara Importer
- Sharepoint Batch Importer
- Sparta Trackwise Importer
- Veeva Importer
If one of the above adapters is used, the recommended actions are:
- Downgrade to Java 8 if possible
- Upgrade to migration-center 3.17 update 4 when the new package will be available.