Security Vulnerability in Atlassian SDK (Apache commons jar)

plugin-sdk
server

#1

The latest (6.3.10) version of the Atlassian SDK contains references to an old version of the Apache commons collections library which has a known security vulnerability which was picked up by our local security scanning tools.

JAR files indicated by this check should be patched to use an updated Apache commons collections library. For version 3.x, the patched version is 3.2.2 and for 4.x, the patched version is 4.1. Alternatively if the InvokerTransformer class is not needed, the JAR file can be repackaged without the vulnerable class.

Is there any likelihood this will get patched?