There is a vulnerability in Spring Boot 2.0.2.RELEASE,upgrade recommended

apache / pulsar-manager

Apache Pulsar Manager

https://pulsar.apache.org/

Apache License 2.0

515 stars 243 forks source link

There is a vulnerability in Spring Boot 2.0.2.RELEASE,upgrade recommended #358

Open QiAnXinCodeSafe opened 3 years ago

QiAnXinCodeSafe commented 3 years ago

https://github.com/apache/pulsar-manager/blob/d15a0f1e45a3fe9821df51361584dce87e104948/build.gradle#L17

CVE-2020-5421

Recommended upgrade version： 2.1.17.RELEASE

tuteng commented 3 years ago

Thanks, will upgrade later

tuteng commented 3 years ago

Since zuul relies on a low version of spring boot, we need to do some planning:

Consider using a gateway instead of zuul
upgrade spring boot to the new version

compuguy commented 12 months ago

Any updates on this @tuteng? The latest release of pulsar-manager appears to still use a vulnerable version of Spring Boot 2.0.2? It's been nearly three years since this issue was opened....

Edit looks like Spring Cloud Netflix Zuul is EOL and Spring Cloud Gateway is the currently supported alternative... https://github.com/spring-cloud/spring-cloud-netflix/issues/4158