[jira] [Commented] (GEODE-10415) CVEs detected in latest geode

Fri, 09 Sep 2022 14:20:05 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-10415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602556#comment-17602556
 ] 

Alexander Murmann commented on GEODE-10415:
-------------------------------------------

Hi [~WeijieEST]. I think this one should just be a dependency update. Since you 
volunteered on the mailing list to bump dependencies, I figured it might make 
sense to assign this to you, so that you can resolve it once you bumped 
versions. Please feel of course free to unassign if this didn't make sense.

> CVEs detected in latest geode
> -----------------------------
>
>                 Key: GEODE-10415
>                 URL: https://issues.apache.org/jira/browse/GEODE-10415
>             Project: Geode
>          Issue Type: Bug
>    Affects Versions: 1.15.0
>            Reporter: Shruti
>            Assignee: Weijie Xu
>            Priority: Blocker
>              Labels: needsTriage
>
> We are detecting the following CVEs with geode
> 💥 High or critical vulnerabilities: 21
> The spring-core is likely Not Affected. But we would like to know about the 
> rest of these listed CVEs. Any info is appreciated
> {{ }}
> {{NAME                            INSTALLED              FIXED-IN     TYPE    
>       VULNERABILITY        SEVERITY}}
> {{jetty-security                  9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-server                    9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-servlet                   9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-util                      9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-util-ajax                 9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-webapp                    9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-xml                       9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jgroups                         3.6.14.Final           4.0.0        
> java-archive  GHSA-rc7h-x6cq-988q  Critical}}
> {{shiro-cache                     1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-config-core               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-config-ogdl               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-core                      1.9.0                  1.9.1        
> java-archive  GHSA-4cf5-xmhp-3xj7  Critical}}
> {{shiro-core                      1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-crypto-cipher             1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-crypto-core               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-crypto-hash               1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-event                     1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{shiro-lang                      1.9.0                               
> java-archive  CVE-2022-32532       Critical}}
> {{spring-core                     5.3.20                              
> java-archive  CVE-2016-1000027     Critical}}
> {{jetty-http                      9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}
> {{jetty-io                        9.4.46.v20220331                    
> java-archive  CVE-2022-2048        High}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to