thelastpickle / cassandra-reaper

Automated Repair Awesomeness for Apache Cassandra
http://cassandra-reaper.io/
Apache License 2.0
489 stars 217 forks source link

Security vulnerabilites in jersey component In Reaper #1248

Open vchauhan81 opened 1 year ago

vchauhan81 commented 1 year ago

Project board link

We are using cassandra-reaper version 3.2.0 in our product. Recently we did Blackduck security scan and following issue was reported for reaper.

Component name : jersey's jersey

Component version name : 2.33

CVE : CVE-2021-28168 (BDSA-2021-1123) - score 5.5

Can you please help us to confirm -

if version 3.2.0 is vulnerable for these CVE ? if yes, in which version the fix would be available ?

┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: REAP-80

adejanovski commented 1 year ago

We don't have a fix version for this yet.

vchauhan81 commented 1 year ago

@adejanovski Any idea if version 3.2.0 is vulnerable with this CVE ?

adejanovski commented 1 year ago

Most probably, yes. I've created a PR which upgrades jersey to v2.34 which contains the fix. Let's see how CI goes.

vchauhan81 commented 1 year ago

Hi @adejanovski Which version of reaper will have this fix ?