[Security] Cross-site Scripting detected by Synk in jetty-util

perwendel / spark

A simple expressive web framework for java. Spark has a kotlin DSL https://github.com/perwendel/spark-kotlin

Apache License 2.0

9.63k stars 1.56k forks source link

[Security] Cross-site Scripting detected by Synk in jetty-util #1117

Closed kamilgregorczyk closed 5 years ago

kamilgregorczyk commented 5 years ago

I have a synk scanner which checks all the dependencies and in spark-core 2.9.0 it found that jetty-util has two security issues, XSS and some information exposure

https://snyk.io/test/github/kamilgregorczyk/event-sourced-bank?targetFile=pom.xml https://github.com/kamilgregorczyk/event-sourced-bank/blob/master/pom.xml

Please upgrade jetty deps

robax commented 5 years ago

Can we get a response on this? @perwendel @tipsy

perwendel commented 5 years ago

@kamilgregorczyk @robax Thanks! Seems like an important fix and creates a need for a 2.9.1 release with updated jetty deps.

robax commented 5 years ago

@perwendel would you mind doing a quick release for this?

perwendel commented 5 years ago

@robax yup, on it right now!

perwendel commented 5 years ago

Fixed. 2.9.1 release made. Should be available on Maven central soon!

robax commented 5 years ago

Thanks a lot @perwendel I super appreciate it :)