Need to address CWE-79 in the latest docker image #354
Comments
|
hey @juliankamil - sorry for the delay. With every release we pickup the latest available IBM JDK versions. Have you tried the |
|
@juliankamil - which CVEs from this CWE were you particularly interested in? That will help us track down the fixes. |
No worries, thanks @arthurdm... We haven't, but will try
On this, I will check with the development team and get back to you. Generally speaking though, we are not calling the method reported as vulnerable directly; we are only using the Java SDK with the library that happens to be using the method. So we'll need to do some tracking down to see which CVEs are applicable in this case. |
|
Hi @juliankamil Actually i am facing the same above mentioned issue (javax.servlet.jsp.JspWriter.print(String):void) in spring mvc. Thanks in Advance 😃 |
The latest official Docker image with the tag
20.0.0.8-full-java8-ibmjavaships with a version of IBM Java SDK with JAX-RS API implementation that is reported by HCL AppScan as affected by vulnerabilities in CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').The scan indicates a number of calls to the method
javax.servlet.jsp.JspWriter.print(String):voidindefaultHtmlEntry_jspwhich is reported as vulnerable to a Cross Site Scripting exploit as described in CWE-79.Is there a plan to update the official images to ship with a remediated version of IBM JDK and address this issue? Thanks.
The text was updated successfully, but these errors were encountered: