New vulnerability in Jasper Reports.
the thing is they say the CVE is in jasper lib 7.0.6 and lower. but they didn’t release yet a 7.0.7 (not sure about 6.x also..)
But this shouldn’t be to much of a problem for the usage of jasper in servoy, because i dont think there are customers that really feed in a binary blob of data (that the customer can give) that is a java serialized object structure. (so that then in jasper that serialized object structure can suddenly acces the system)
But if customers can give there own .jasper files (upload those and then run those) that could be a problem because those are serialized java objects
For the most part is is just feeding in a query or maybe a foundset object, that is fully controlled by the developer not a customer that is hitting your website.