You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Alex Herman (Jira)" <ji...@apache.org> on 2020/02/10 14:19:00 UTC
[jira] [Created] (NIFIREG-359) Update maven dependencies that have
CVEs
Alex Herman created NIFIREG-359:
-----------------------------------
Summary: Update maven dependencies that have CVEs
Key: NIFIREG-359
URL: https://issues.apache.org/jira/browse/NIFIREG-359
Project: NiFi Registry
Issue Type: Improvement
Reporter: Alex Herman
Running an AppScan vulnerability analysis on the 0.5.0 tag of NiFi Registry found the following issues with dependencies:
* jackson-databind-2.9.9.1.jar - CVE-2019-16335, CVE-2019-14379, CVE-2019-16942, CVE-2019-17267, CVE-2019-16943, CVE-2019-17531, CVE-2019-14540, CVE-2019-14439
* h2-1.4.197.jar - CVE-2018-10054, CVE-2018-14335
* httpclient-4.5.2.jar (transitive dependency of org.eclipse.jgit) - https://github.com/apache/httpcomponents-client/commit/0554271750599756d4946c0d7ba43d04b1a7b220
* hibernate-validator-6.0.17.Final.jar (transitive dependency of spring) - CVE-2019-10219
* jackson-databind-2.9.8.jar (transitive dependency of aws-java-sdk-version) - CVE-2019-17267, CVE-2019-16943, CVE-2019-16942, CVE-2019-16335, CVE-2019-14540, CVE-2019-17531, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086, CVE-2019-12384, CVE-2019-14439
* netty-codec-http2-4.1.33.Final.jar (transitive dependency of aws-java-sdk-version) - CVE-2019-9518
I'm not sure what the process is for addressing things like this, but I can put together a pull request, if that would be helpful.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)