Dependency vulnerability (org.codehaus.jettison) #4238
Assignees
Labels
dependencies
Pull requests that update a dependency file
Comments
OlgaMaciaszek
added
dependencies
|
Hello @trcoelho. Thanks for reporting it. The dependency comes from an external project. I have create it a PR: Netflix/eureka#1530. |
|
Hey @OlgaMaciaszek, I see the eureka core team merged a fix on their end. What is the process for getting this change into spring-cloud-starter-netflix-eureka-client? I am also waiting on this to fix some CVEs in our application, and if there is something to contribute to get it done, I am happy to help. Thank you!! |
|
We need to wait for them to release the new version (hopefully, next week). If there's any other issue you see, feel free to create a pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Have opened this one at spring-boot project (spring-projects/spring-boot#38769), however this dependency is not managed by them.
spring-cloud-starter-netflix-eureka-client uses jettison dependency (org.codehaus.jettison) on 1.4.0 version:
https://mvnrepository.com/artifact/org.codehaus.jettison/jettison/1.4.0
Which has several security vulnerabilities.
It should use latest version 1.5.4 that has no security vulnerabilities:
https://mvnrepository.com/artifact/org.codehaus.jettison/jettison/1.5.4
Thank you.
The text was updated successfully, but these errors were encountered: