justin-tay
commented
2 months ago - Undertow is a test dependency so this vulnerability won't affect you.
- Since this is a dependency and not an issue with the library itself, you could always manage the dependency version yourself in your pom.
- If the issue is with mvnrepository flagging it out, this can't be easily solved. Those 3 dependencies are under reevaluation in NIST and hence there are no longer listed as vulnerable cpes as the list of vulnerable configurations aren't available.
https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:redhat:undertow:2.2.33:-:*:*:*:*:*:*. - I shall send a PR to bump this to 2.2.35 but you shouldn't expect any changes in mvnrepository as it currently lists 2.2.35 with direct vulnerabilities. https://mvnrepository.com/artifact/io.undertow/undertow-core/2.2.35.Final
- CVE-2024-3653 Fixed in 2.2.34.
- CVE-2024-5971 Fixed in 2.2.34.
- CVE-2024-6162 Already fixed in 2.2.33
Pattern-Projects
Hello, The latest version of json-schema-validator is inheriting CVEs from the version of undertow in use. Seen here: https://mvnrepository.com/artifact/com.networknt/json-schema-validator/1.5.1 According to comments in the code, higher versions of undertow are not compatible with java 8.
<version.undertow>2.2.33.Final</version.undertow> <!-- 2.3.x and above is not Java 8 compatible -->Are there plans to deal with this in any way?Regards, Pattern