[jira] [Commented] (NIFI-10080) Upgrade Vulnerable esapi dependency

David Handermann (Jira) Thu, 02 Jun 2022 10:32:05 -0700


    [ 
https://issues.apache.org/jira/browse/NIFI-10080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17545585#comment-17545585
 ]


David Handermann commented on NIFI-10080:
-----------------------------------------

The ESAPI library is one several older dependencies required by the older 
Spring SAML2 Core library. Refactoring SAML2 integration to use the new Spring 
Security implementation will provide the best resolution.

> Upgrade Vulnerable esapi dependency 
> ------------------------------------
>
>                 Key: NIFI-10080
>                 URL: https://issues.apache.org/jira/browse/NIFI-10080
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.16.1, 1.16.2
>            Reporter: Mike R
>            Priority: Major
>
> The ESAPI software found at esapi-2.2.0.0.jar has 2 vulnerabilities in it 
> that affect all versions below 2.3.0.0. Updating will remove the 
> vulnerabilities
>  # [CVE-2022-23457|https://github.com/advisories/GHSA-8m5h-hrqm-pxm2]
>  # [CVE-2022-24891|https://github.com/advisories/GHSA-q77q-vx4q-xx6q]



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (NIFI-10080) Upgrade Vulnerable esapi dependency

Reply via email to