Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities found in jetty (dependency) #173

Closed
BrunoBonacci opened this issue Feb 14, 2021 · 3 comments
Closed

Security vulnerabilities found in jetty (dependency) #173

BrunoBonacci opened this issue Feb 14, 2021 · 3 comments
Labels
dependencies

Comments

@BrunoBonacci
Copy link

BrunoBonacci commented Feb 14, 2021
edited
Loading

Hi,

lein-nvd is reporting a number of security vulnerabilities in jetty (one of transitive dependencies)

here the dep tree:

 [com.cognitect.aws/api "0.8.498"]
   [com.cognitect/http-client "0.1.105"]
     [org.eclipse.jetty/jetty-client "9.4.27.v20200227"]
       [org.eclipse.jetty/jetty-io "9.4.27.v20200227"]
     [org.eclipse.jetty/jetty-http "9.4.27.v20200227"]
     [org.eclipse.jetty/jetty-util "9.4.27.v20200227"]

here the vulnerabilities reported

+---------------------------------+------------------------------------------------+
| dependency                      | status                                         |
+---------------------------------+------------------------------------------------+
| jetty-util-9.4.27.v20200227.jar | CVE-2019-17638, CVE-2020-27218, CVE-2020-27216 |
+---------------------------------+------------------------------------------------+

here the CVE details

All above vulnerabilities have been fixed jetty in the following version, please update to:

[org.eclipse.jetty/jetty-client "9.4.35.v20201120"] 
[org.eclipse.jetty/jetty-http   "9.4.35.v20201120"] 
[org.eclipse.jetty/jetty-util   "9.4.35.v20201120"]
@BrunoBonacci BrunoBonacci mentioned this issue Feb 14, 2021
Closed
@dchelimsky
Copy link
Contributor

Thanks for the report. I don't know how long it will be for us to get this through. In the mean time, for anybody unaware who may read this, you should be able to add these explicit jetty dependencies to your tools.deps, lein, or boot configuration to override the transitive dependencies.

@dchelimsky
Copy link
Contributor

Fixed in 6222887

Released in aws-api-0.8.505

Upgraded to cognitect/http-client-0.1.106, which depends on jetty 9.4.36.v20210114

@BrunoBonacci
Copy link
Author

Hi,

thanks for the fix.
Unfortunately, it appears that this version is now affected by another vulnerability.

  using nvd-clojure:  and dependency-check: 5.3.2
+-----------------------------------+----------------+
| dependency                        | status         |
+-----------------------------------+----------------+
| jetty-client-9.4.36.v20210114.jar | CVE-2020-27223 |
| jetty-http-9.4.36.v20210114.jar   | CVE-2020-27223 |
+-----------------------------------+----------------+

2 vulnerabilities detected. Severity: MEDIUM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dchelimsky @BrunoBonacci