Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilites in jersey component In Reaper #1248

Open
vchauhan81 opened this issue Dec 12, 2022 · 4 comments · May be fixed by #1293
Open

Security vulnerabilites in jersey component In Reaper #1248

vchauhan81 opened this issue Dec 12, 2022 · 4 comments · May be fixed by #1293
Labels
ready

Comments

@vchauhan81
Copy link

vchauhan81 commented Dec 12, 2022
edited by adejanovski

Project board link

We are using cassandra-reaper version 3.2.0 in our product.
Recently we did Blackduck security scan and following issue was reported for reaper.

Component name : jersey's jersey

Component version name : 2.33

CVE :
CVE-2021-28168 (BDSA-2021-1123) - score 5.5

Can you please help us to confirm -

if version 3.2.0 is vulnerable for these CVE ?
if yes, in which version the fix would be available ?
@adejanovski
Copy link
Contributor

We don't have a fix version for this yet.

@vchauhan81
Copy link
Author

@adejanovski
Any idea if version 3.2.0 is vulnerable with this CVE ?

adejanovski added a commit that referenced this issue May 4, 2023
@adejanovski
Update pom.xml
53ebd09 
Fixes #1248

Upgrade jersey to 2.34 in order to fix CVE-2021-28168
@adejanovski adejanovski linked a pull request May 4, 2023 that will close this issue
Draft
@adejanovski
Copy link
Contributor

Most probably, yes.
I've created a PR which upgrades jersey to v2.34 which contains the fix.
Let's see how CI goes.

@vchauhan81
Copy link
Author

Hi @adejanovski
Which version of reaper will have this fix ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update pom.xml thelastpickle/cassandra-reaper
2 participants
@adejanovski @vchauhan81