You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@olingo.apache.org by "Norman (Jira)" <ji...@apache.org> on 2020/11/12 14:50:00 UTC

[jira] [Created] (OLINGO-1493) Security Vulnerabilities in direct dependency netty-codec-http

Norman created OLINGO-1493:
------------------------------

             Summary: Security Vulnerabilities in direct dependency netty-codec-http
                 Key: OLINGO-1493
                 URL: https://issues.apache.org/jira/browse/OLINGO-1493
             Project: Olingo
          Issue Type: Bug
          Components: odata4-server
    Affects Versions: (Java) V4 4.7.1
            Reporter: Norman


Dear Olingo Community,

odata-server-api and odata-server-core 4.7.1 have a direct dependency on

io.netty *netty-codec-http 4.1.43.Final* 

This version has known security vulnerabilities ranked with medium and high CVSS score.
See:

https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 -> fixed in 4.1.53Final or higher
https://snyk.io/vuln/SNYK-JAVA-IONETTY-543669 -> fixed in 4.1.44.Final or higher
https://snyk.io/vuln/SNYK-JAVA-IONETTY-543490 -> fixed in 4.1.44.Final or higher

Upgrading the dependency to 4.1.53Final would fix the issue.

 

P.S. com.fasterxml.jackson.core » jackson-core 2.10.0 is outdated, too and could be upgraded to 2.11.3

 

Additional Links:

https://mvnrepository.com/artifact/org.apache.olingo/odata-server-core/4.7.1
https://mvnrepository.com/artifact/org.apache.olingo/odata-server-api/4.7.1



--
This message was sent by Atlassian Jira
(v8.3.4#803005)