Hi, Ignite uses H2 as one of 2 available execution engines. Module 'ignite-indexing' depends on H2. Long story short, we can't bump H2 version anymore as some integration points were dropped in higher H2 versions. However, this CVE along with other known issues[1] do not affect the Ignite.
[1] https://issues.apache.org/jira/browse/IGNITE-15241 On Fri, Jan 20, 2023 at 1:06 PM Gianluca Bonetti <gianluca.bone...@gmail.com> wrote: > Hello > > I am also using Apache Ignite for some projects, but I don't see any > dependency on h2 in my projects. > I think h2 dependency is coming from somewhere else. > Can you run a "mvn dependency:tree" and share the results? > > Cheers > Gianluca > > On Fri, 20 Jan 2023 at 09:56, David Cussen <david.cus...@workday.com> > wrote: > >> Hi, >> >> I am an employee in Workday and our team uses Apache Ignite for one of >> our products. There is a dependency on com.h2database:h2:jar:1.4.197 : >> https://github.com/apache/ignite/blob/master/parent/pom.xml#L92 >> >> >> >> We are wondering if there is a plan to upgrade this dependency to >> remediate CVE-2021-42392 >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392> and if >> so, do you have an ETA on when this would be available? >> >> >> >> Thank you. >> >> >> >> Kind regards, >> >> David Cussen >> >> Workday >> >> >> > -- Best regards, Andrey V. Mashenkov
