You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/08/09 13:49:00 UTC
[jira] [Commented] (NIFI-10333) Hikari CP 4.0.3 to 5.0.1
[ https://issues.apache.org/jira/browse/NIFI-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577425#comment-17577425 ]
David Handermann commented on NIFI-10333:
-----------------------------------------
[~msr1716], the vulnerabilities listed apply to various database vendor drivers and do not apply to HikariCP.
HikariCP 5.0 requires Java 11, and for now NiFi still supports Java 8, so 4.0.3 is the latest version.
> Hikari CP 4.0.3 to 5.0.1
> ------------------------
>
> Key: NIFI-10333
> URL: https://issues.apache.org/jira/browse/NIFI-10333
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.17.0, 1.16.2, 1.16.3
> Reporter: Mike R
> Priority: Major
>
> The version of HikariCP that NiFi is using is version Hikari CP 4.0.3. It is vulnerable to the following 8 vulnerabilities due to the dependencies:
> [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
> [CVE-2022-21724|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724]
> [CVE-2021-45105|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]
> [CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]
> [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]
> [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]
> [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
> [CVE-2020-25638|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638]
> In version 5.0.1, it is only vulnerable to 2 CVEs.
> [CVE-2022-21724|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724]
> [CVE-2020-25638|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)