Closed brianjahnke closed 3 years ago
Hi, thanks for the heads up. If we want to bump Apache Jena to 4.1.0 (3.17.0 sadly still uses the same thrift version), then we need to go from Java 8 to Java 11. I will need to notify others about this breaking change first, then we can look into fixing this vulnerability quickly.
Hello @brianjahnke , I have updated Jena in all of our projects. Version 4.0.11-SNAPSHOT and later are affected. Thanks again for the report.
Hi, we perform security analysis on all builds of the Dataspace Connector and got a report for a vulnerability imported via the infomodel. The infomodel imports apache jena 3.16 which internally imports org.apache.thrift:libthrift:jar:0.13.0. libthrift 0.13 is affected by CVE-2020-13949 ('potential DoS when processing untrusted payloads') and has a severity level of 'High'. This has been fixed in version 0.14.
Please bump up the dependency version.