Hello!
It seems like the Webapp is running a vulnerable version of Moment.js. The latest master branch for camunda-bpm-platform, as well as the latest alpha version of 7.18, is using version 2.29.3. The vulnerable versions range from >= 2.18.0, < 2.29.4.
I couldn’t find any ongoing tasks in the CAM Jira space or any related issues in this forum so I’m just wondering if you’re aware of this vulnerability and if there are any plans on upgrading the library?
After 6+ Month the vulnerability is still reported with camunda-bpm-spring-boot-starter 7.18.0 by owasp dependency check.
From Camunda side there is just a mention in security notes here: Security Notices 76 | docs.camunda.org but no reflection in the spring-boot-starter. What ist the status here?