Open ludoch opened 4 years ago
As a workaround, we can do for now:
<dependency>
<groupId>com.sparkjava</groupId>
<artifactId>spark-core</artifactId>
<version>2.9.1</version>
<exclusions>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
<version>9.4.20.v20190813</version>
</dependency>
Was there any movement on this? OWASP dependencyCheck is flagging the version of jetty as vulnerable. My team has excluded jetty from the transitive dependency and are depending directly on a newer version of jetty.
https://nvd.nist.gov/vuln/detail/CVE-2021-28165 https://nvd.nist.gov/vuln/detail/CVE-2020-27216
I should note we are seeing this on spark 2.9.3. It is pulling in jetty 9.4.31.
It seems that I am facing the Jetty bug https://github.com/eclipse/jetty.project/issues/3630 on Google App Engine Java11 runtime, so it would be nice to have a newer release with the update so that App Engine customers can run SpakJava.