Regarding the following vulnerability found in the commons-collections library,
https://www.kb.cert.org/vuls/id/576313
I’ve found that the affected version 3.2.1 is pulled into hibernate (3.6.10.18) in the Grails project I am running under 2.5.5. Does this use of the library pose any threat in terms of exposing the vulnerability. Should I be importing the patched version (3.2.2) as a direct dependency to mitigate any chance of exposure?
The vulnerable class in question (InvokerTransformer) has never been used in the Grails codebase, and I don't see a circumstance where this vulnerability is exploitable in a Grails application.
Nevertheless you can of course upgrade to 3.2.2 just be specifying the dependency in your BuildConfig.groovy or build.gradle file