upgrade dropwizard.version 2.1.0 or higher to fix CVEs
Closed this issue ยท 0 comments
developer-guy commented
Noticed bunch of CVEs during the vulnerability scanning:
They are all seem dependencies of the dropwizard-core dependency according to the mvn dependency:tree, to be able to fix these, we should bump dropwizard-core version to 2.1.0 or higher but it might require some code changes though since I was tried to apply patches to fix the CVEs but build was failed.
๐ฆ amqp-client 5.16.0 (java-archive)
Medium CVE-2023-46120 GHSA-mm8h-8587-p46h fixed in 5.18.0
๐ฆ jackson-databind 2.10.5.1 (java-archive)
High CVE-2021-46877 GHSA-3x8x-79m2-3w2w fixed in 2.12.6
High CVE-2020-36518 GHSA-57j2-w4cx-62h2 fixed in 2.12.6.1
High CVE-2022-42003 GHSA-jjjh-jjxp-wpff fixed in 2.12.7.1
High CVE-2022-42004 GHSA-rgv9-q543-rqg4 fixed in 2.12.7.1
๐ฆ jersey-common 2.33 (java-archive)
Medium CVE-2021-28[16](https://github.com/wolfi-dev/os/actions/runs/7581390781/job/20649257298?pr=11430#step:7:17)8 GHSA-c43q-5hpj-4crv fixed in 2.34
๐ฆ jetty-http 9.4.50.v20221201 (java-archive)
Medium CVE-2023-40167 GHSA-hmr7-m48g-48f6 fixed in 9.4.52
๐ฆ jetty-server 9.4.50.v20221201 (java-archive)
Low CVE-2023-26049 GHSA-p26g-97m4-6q7c fixed in 9.4.51.v202302[17](https://github.com/wolfi-dev/os/actions/runs/7581390781/job/20649257298?pr=11430#step:7:18)
Medium CVE-[20](https://github.com/wolfi-dev/os/actions/runs/7581390781/job/20649257298?pr=11430#step:7:21)23-26048 GHSA-qw69-rqj8-6qw8 fixed in 9.4.51.v20230[21](https://github.com/wolfi-dev/os/actions/runs/7581390781/job/20649257298?pr=11430#step:7:22)7
๐ฆ jetty-servlets 9.4.50.v20[22](https://github.com/wolfi-dev/os/actions/runs/7581390781/job/20649257298?pr=11430#step:7:23)1201 (java-archive)
Low CVE-20[23](https://github.com/wolfi-dev/os/actions/runs/7581390781/job/20649257298?pr=11430#step:7:24)-36479 GHSA-3gh6-v5v9-6v9j fixed in 9.4.52