[
https://issues.apache.org/jira/browse/HBASE-27817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716727#comment-17716727
]
Duo Zhang commented on HBASE-27817:
-----------------------------------
We shade glassfish in hbase-thirdparty, so this requires modifying
hbase-thirdparty?
> Migrate javax.el:3.0.1-b08 to jakarta.el-4.0.2
> ----------------------------------------------
>
> Key: HBASE-27817
> URL: https://issues.apache.org/jira/browse/HBASE-27817
> Project: HBase
> Issue Type: Task
> Affects Versions: 3.0.0-alpha-4, 2.5.5, 2.4.18
> Reporter: Wes Schuitema
> Priority: Trivial
>
> The javax.el artifact contains a CVE: [CVE-2021-28170.
> |https://nvd.nist.gov/vuln/detail/CVE-2021-28170]The CVE itself is not a big
> issue since we're pre-compiling our JSP pages when building HBase, no user
> input is parsed which reduces the risk considerably.
> The org.glassfish:javax.el artifact was moved to org.glassfish:jakarta.el,
> which means a migration to get rid of the CVE.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
