Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Smartclient 12 with Velocity 2.3

    Hi,
    We have Smartclient 12.1p_2022-10-22 which comes with Velocity 1.7. But for security issues in that specific version of Velocity, we excluded it in pom and added a newer version, Velocity 2.3.

    But now we are getting

    Code:
    2023-07-05 20:39:22,727 ERROR (http-nio-8280-exec-5) [CustomIDACall] com.tnsi.serviceutils.web.servlet.CustomIDACall top-level exception
java.lang.NoSuchMethodError: org.apache.velocity.context.Context.getKeys()[Ljava/lang/Object;
at com.isomorphic.velocity.ISCReferenceInsertionEventHandler.<init>(ISCReferenceInsertionEventHandler.java:78) ~[isomorphic-core-rpc-12.1-p20221022.jar:?]
    Replacing compiled version is not ideal and I understand it. But is there something we can do (other than upgrading to v 13 which I believe has Velocity 2.3) to circumvent the problem?
    Tags: None
    #2
    There is no actual security vulnerability in Velocity 1.7 given the way SmartClient uses it - the only vulnerability is if you allow untrusted end users to directly edit Velocity templates, and SmartClient never does that.

    So there is no action that needs to be taken.

    However, if you end up struggling with someone who doesn't understand security and insists that Velocity be upgraded, then yes, you need to upgrade to SmartClient 13+

    Comment

      #3
      The problem is our sec scans raises red flags.
      But I'll take your word and add an exception.

      Thanks.

      Comment

      Previous template Next
      Working...
      X