maboeckmann
commented
3 years ago Hi, thanks for the heads up. If we want to bump Apache Jena to 4.1.0 (3.17.0 sadly still uses the same thrift version), then we need to go from Java 8 to Java 11. I will need to notify others about this breaking change first, then we can look into fixing this vulnerability quickly.
Hi, we perform security analysis on all builds of the Dataspace Connector and got a report for a vulnerability imported via the infomodel. The infomodel imports apache jena 3.16 which internally imports org.apache.thrift:libthrift:jar:0.13.0. libthrift 0.13 is affected by CVE-2020-13949 ('potential DoS when processing untrusted payloads') and has a severity level of 'High'. This has been fixed in version 0.14.
Please bump up the dependency version.