Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reporting vulnerabilities in dependencies #1610

Closed
stealthrabbi opened this issue Jul 8, 2022 · 6 comments
Closed

reporting vulnerabilities in dependencies #1610

stealthrabbi opened this issue Jul 8, 2022 · 6 comments

Comments

@stealthrabbi
Copy link

I am looking to integrate this library in to my application that I scan with trivy. Trivy has reported some vulns with the jetty libraries that are included. I'm on Javalin 4.6.3.

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+--------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                TITLE                 |
+--------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
| org.eclipse.jetty:jetty-http   | CVE-2022-2047    | LOW      | 9.4.46.v20220331  | 11.0.10, 10.0.10, 9.4.47 | Invalid URI parsing may produce      |
| (ipsummarizer.jar)             |                  |          |                   |                          | invalid HttpURI.authority            |
|                                |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2047 |
+--------------------------------+------------------+----------+                   +--------------------------+--------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2022-2191    | HIGH     |                   | 11.0.10, 10.0.10         | SslConnection does not release       |
| (ipsummarizer.jar)             |                  |          |                   |                          | pooled ByteBuffers in case of errors |
|                                |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2191 |
+--------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
@tipsy
Copy link
Member

tipsy commented Jul 8, 2022

Thanks @stealthrabbi ! We have upgraded Jetty in Javalin 4.6.4, which was released earlier today :)

@tipsy tipsy closed this as completed Jul 8, 2022
@stealthrabbi
Copy link
Author

Ah ok thanks. 4.6.3 is still showing as the latest on maven central. Does it take time to push up?

https://mvnrepository.com/artifact/io.javalin/javalin

@tipsy
Copy link
Member

tipsy commented Jul 8, 2022

Yes, it usually takes a few hours. mvnrepository is actually not the official page, https://search.maven.org is. You can find the artifact here: https://search.maven.org/artifact/io.javalin/javalin/4.6.4/jar, but it's also not searchable there yet.

@ajsutton
Copy link
Contributor

I've pulled in Javalin 4.6.4 which is using Jetty 9.4.48.v20220622 but I'm still getting the same high priority warning for CVE-2022-2191.

Notably support for Jetty 9.4 was dropped on June 1st (jetty/jetty.project#7958). I may have missed it but I don't see a fix for CVE-2022-2191 in the 9.4 branch.

@Playacem
Copy link
Member

@ajsutton 9.4.x is not affected. See here: jetty/jetty.project#8161

@ajsutton
Copy link
Contributor

@Playacem Thank you - the CVE has the wrong versions and I hadn't seen the comments at the bottom of the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ajsutton @stealthrabbi @tipsy @Playacem