Dockerfile requests a vulnerable version of Apache Tomcat

oracle / opengrok

OpenGrok is a fast and usable source code search and cross reference engine, written in Java

http://oracle.github.io/opengrok/

Other

4.29k stars 739 forks source link

Closed dkr91 closed 3 months ago

dkr91 commented 3 months ago

The Dockerfile uses Apache Tomcat version 10.1.16-jdk17.

This version is vulnerable to CVE-2024-23672 and CVE-2024-24549. A fix for this vulnerability is available in Apache Tomcat 10.1.19.

vladak commented 3 months ago

Not sure the CVEs actually apply for our use case (being WebSocket and HTTP/2 related), however upgrading Tomcat is usually good thing to do anyway.