We have discovered that the following libraries have serious vulnerabilities registered against them.
We have also verified that they still exist in the 14.5.
When will newer versions of the jar files be available and incorporated into the release?
The ant and axis jars are unlabeled. If they are version 1, they are subject to the following CVE: CVE-2023-40743.
After a thorough review by our Level 2 team for This issue, it has been determined that addressing this particular issue in the current release poses significant challenges due to high dependencies on other components. Unfortunately, this means that a fix for this issue cannot be implemented as a hotfix.
We genuinely appreciate your patience and understanding. Rest assured, we have prioritized this issue for the next major release, where we comprehensively address the dependencies and implement with Axis2 which does not contain the CVEs being reported.
These changes are expected in R15 due out in 2025