Cybersecurity staff discovered that the version of Apache Commons Compress, which is used even in the latest Nexus release, is susceptible to vulnerabilities CVE-2024-26308 and CVE-2024-25710.
Does anyone know how to correctly update the version of Apache Commons Compress?
So far nothing smart comes to mind except how to replace the original file
system/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar
to a new one, renaming the new one to 1.21
And i know that in latest version of Nexus version of commons-compress is 1.24, but Fixed version: 1.26.0
Additional info
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.24.0
The next release 3.70 will contain an updated version of the library.