jasypt version 1.9.3 is vulnerable to CVE-2022-22965

[cloudtracer]

Can this dependency be updated? Its vulnerable to a a number of old CVEs some of which are rated high.

[jbonofre]

Already updated: https://github.com/apache/activemq/blob/main/pom.xml#L72

[cloudtracer]

Thanks for the fast response @jbonofre but 1.9.3 is a vulnerable version. You can see all the vulnerabilities with this dependency on mvnrepository : https://mvnrepository.com/artifact/org.jasypt/jasypt-spring4/1.9.3

[jbonofre]

Oh sorry, I thought you asked to update to 1.9.3.

[jbonofre]

Let me do an analyse to see if the CVEs actually applicable in ActiveMQ context.