Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8901

Update maven dependencies that have CVEs

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • NiFi Registry
    • None

    Description

      Running an AppScan vulnerability analysis on the 0.5.0 tag of NiFi Registry found the following issues with dependencies:

      • jackson-databind-2.9.9.1.jar - CVE-2019-16335, CVE-2019-14379, CVE-2019-16942, CVE-2019-17267, CVE-2019-16943, CVE-2019-17531, CVE-2019-14540, CVE-2019-14439
      • h2-1.4.197.jar - CVE-2018-10054, CVE-2018-14335
      • hibernate-validator-6.0.17.Final.jar (transitive dependency of spring) - CVE-2019-10219
      • jackson-databind-2.9.8.jar (transitive dependency of aws-java-sdk-version) - CVE-2019-17267, CVE-2019-16943, CVE-2019-16942, CVE-2019-16335, CVE-2019-14540, CVE-2019-17531, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086, CVE-2019-12384, CVE-2019-14439
      • netty-codec-http2-4.1.33.Final.jar (transitive dependency of aws-java-sdk-version) - CVE-2019-9518

      I'm not sure what the process is for addressing things like this, but I can put together a pull request, if that would be helpful.

      Attachments

        Activity

          People

            thenatog Nathan Gough
            Alex Herman Alex Herman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: