Background
There is a quantity tampering vulnerability in OrderEntry
class
in com.traveloka.pay:commerce-clean-api
module.
We have implemented the fix for this in the latest jar release.
Action Needed
OrderEntry
class, kindly help to update your dependency to use com.traveloka.pay:commerce-clean-api
version equal or higher than 6.1.143
.
com.traveloka.snapshot:commerce-clean-impl:1.0.0-SNAPSHOT
, you don't need to do anything except building and releasing the service. The changes will automatically propagated. But I suggest you to migrate from this snapshot to the jar version as announced in multirepo migration channel here,