CVE-2022-42889 Apache Commons

[StBurcher]

Good morning folks,

I would like to ask if current JanusGraph versions are effected by https://nvd.nist.gov/vuln/detail/CVE-2022-42889 . I have the seen the Apache Commons in the pom and my trivy shows an issue. However, the CVE is hard to use. But just a friendly question to be sure.

[vtslab]

Yes, see:
https://issues.apache.org/jira/browse/TINKERPOP-2809
https://issues.apache.org/jira/browse/TINKERPOP-2815

Apart from the upstream use in Apache TinkerPop, it may be a direct dependency of JanusGraph. I did not check that.