My information security team has pointed out the vulnerability CVE-2024-26308 in commons-compress-1.21.jar.
The recommended version for use is 1.26.0.
However the latest version of nexus uses /nexus-3.68.1-02/system/org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar
There are two questions
- are there plans to migrate to a new version of commons-compress?
- If not, is it possible to change the “bad” version of commons-compress to the “good” one yourself?