Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Upgrade Jetty version (old CVEs issues)?

See original GitHub issue

Hello, thank you for all your efforts on creating this framework! I fully appreciate the hard work that goes into maintaining open source software!

I’ve just ran an OWASP check using org.owasp:dependency-check-gradle:5.2.1 , I’ve only looked at the first CVE and it seems to have been already solved in a newer minor jetty version update. I suspect this may also apply to the others:

jetty-webapp-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-server-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-server@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-servlet-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-servlet@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-security-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-security@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:security-framework_project:security-framework:9.4.12.v20180830:*:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-server-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-server@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-servlet-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-servlet@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-client-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-client@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-client-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-client@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-http-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-http@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-common-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-common@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-xml-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-xml@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-util-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/jetty-util@9.4.12.v20180830, cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
AnharMiahcommented, Jun 15, 2020

thanks @tipsy , I’ve only found one breaking change which was basically changing the import from javalin.Context over to javalin.http.Content so a regex replace fixed that pretty quickly! re-ran all the tests and they have passed so seems to be all good 😃

1reaction
tipsycommented, Jun 15, 2020

Aha, that makes sense then. Let me know if you run into trouble.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Eclipse Jetty : List of security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gained... 1 CVE‑2022‑2191 404 2022‑07‑07 2022‑09‑23 5.0 None 2 CVE‑2022‑2048 400 DoS 2022‑07‑07...
Read more >
How to upgrade Eclipse Jetty Server to a higher version?
Hi guys, using OpenVAS, I performed a vulnerability scan of my CentOS7 server (there is Apache Nifi in version - 202044.
Read more >
Jetty Security Reports | The Eclipse Foundation
Date ID Exploit Severity Fixed Version 2022/07/05 CVE‑2022‑2191 Med High 10.0.10, 11.0.10 2022/07/05 CVE‑2022‑2047 Low Low 9.4.47, 10.0.10, 11.0.10 2022/07/05 CVE‑2022‑2048 Med High 9.4.47, 10.0.10, 11.0.10...
Read more >
Jetty version from PDI 9.3 and CVE-2020-27216 | Pentaho
Due to this and many other CVE's, this older version of Jetty needs to be upgraded and we hope to see the version...
Read more >
known security issue in dropwizard-jetty version 2.0.21 (sub ...
Solution: Upgrade to versions 2.34, 3.0.2 or above. ... thank you. The text was updated successfully, but these errors were encountered: ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Add ContextFactory to extend Context with custom methods

Next page

[javalin-graphql] improve integration with graphql-kotlin