Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilites in jersey component In Reaper #1248

Open
vchauhan81 opened this issue Dec 12, 2022 · 4 comments · May be fixed by #1293
Open

Security vulnerabilites in jersey component In Reaper #1248

vchauhan81 opened this issue Dec 12, 2022 · 4 comments · May be fixed by #1293
Assignees
@adejanovski
Labels
product-backlog Issues in the state 'product-backlog'

Comments

@vchauhan81
Copy link

vchauhan81 commented Dec 12, 2022
edited by sync-by-unito bot
Loading

Project board link

We are using cassandra-reaper version 3.2.0 in our product.
Recently we did Blackduck security scan and following issue was reported for reaper.

Component name : jersey's jersey

Component version name : 2.33

CVE :
CVE-2021-28168 (BDSA-2021-1123) - score 5.5

Can you please help us to confirm -

if version 3.2.0 is vulnerable for these CVE ?
if yes, in which version the fix would be available ?

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: REAP-80
@adejanovski
Copy link
Contributor

We don't have a fix version for this yet.

@adejanovski adejanovski moved this to Ready in K8ssandra Jan 9, 2023
@vchauhan81
Copy link
Author

@adejanovski
Any idea if version 3.2.0 is vulnerable with this CVE ?

adejanovski added a commit that referenced this issue May 4, 2023
@adejanovski
Update pom.xml
53ebd09 
Fixes #1248

Upgrade jersey to 2.34 in order to fix CVE-2021-28168
@adejanovski adejanovski linked a pull request May 4, 2023 that will close this issue
Draft
@adejanovski
Copy link
Contributor

Most probably, yes.
I've created a PR which upgrades jersey to v2.34 which contains the fix.
Let's see how CI goes.

@vchauhan81
Copy link
Author

Hi @adejanovski
Which version of reaper will have this fix ?

@adejanovski adejanovski moved this from Ready to Product Backlog in K8ssandra Aug 22, 2024
@adejanovski adejanovski added product-backlog Issues in the state 'product-backlog' and removed ready labels Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adejanovski adejanovski

Labels
product-backlog Issues in the state 'product-backlog'
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update pom.xml thelastpickle/cassandra-reaper
2 participants
@adejanovski @vchauhan81