commons-lang3 v3.12.0 -> 3.18.0 #2294

stecurran-est-tech · 2025-07-24T15:40:35Z

Why:
Address CVE-2025-48924, a known vulnerability in org.apache.commons:commons-lang3.
https://nvd.nist.gov/vuln/detail/CVE-2025-48924

What:
Added a Gradle constraint to enforce the use of commons-lang3 version 3.18.0, replacing the previously used 3.12.0, which is affected by the CVE.

Expected Behavior:
Vulnerability scans should no longer report the affected version of commons-lang3.
cruise-control should build successfully with the updated dependency.

Actual Behavior:
Vulnerability scanning no longer reports the affected version.
cruise-control builds successfully after the update.

Categorization:
security/CVE

…ons-lang3:3.18.0 is used

kyguy

Tested this change with a few builds, everything looks solid!

stecurran-est-tech · 2025-09-16T15:23:21Z

@kyguy Thanks for reviewing.

@mhratson @CCisGG
Could one of the maintainers merge, if possible, please?
Thanks

Addressing CVE-2025-48924 - adding constraint to build to ensure comm…

66b4bf8

…ons-lang3:3.18.0 is used

stecurran-est-tech force-pushed the lang3_update branch from f18a99e to 66b4bf8 Compare September 11, 2025 16:43

kyguy approved these changes Sep 16, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

commons-lang3 v3.12.0 -> 3.18.0 #2294

commons-lang3 v3.12.0 -> 3.18.0 #2294

Uh oh!

stecurran-est-tech commented Jul 24, 2025

Uh oh!

kyguy left a comment

Uh oh!

stecurran-est-tech commented Sep 16, 2025

Uh oh!

Uh oh!

commons-lang3 v3.12.0 -> 3.18.0 #2294

Are you sure you want to change the base?

commons-lang3 v3.12.0 -> 3.18.0 #2294

Uh oh!

Conversation

stecurran-est-tech commented Jul 24, 2025

Uh oh!

kyguy left a comment

Choose a reason for hiding this comment

Uh oh!

stecurran-est-tech commented Sep 16, 2025

Uh oh!

Uh oh!