Javalin: Upgrade Jetty version (old CVEs issues)?
Hello, thank you for all your efforts on creating this framework! I fully appreciate the hard work that goes into maintaining open source software!
I've just ran an OWASP check using org.owasp:dependency-check-gradle:5.2.1 , I've only looked at the first CVE and it seems to have been already solved in a newer minor jetty version update. I suspect this may also apply to the others:
jetty-webapp-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-server-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-servlet-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-security-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:security-framework_project:security-framework:9.4.12.v20180830:*:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-server-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-servlet-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-client-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-client-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-http-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
websocket-common-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty.websocket/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-xml-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
jetty-util-9.4.12.v20180830.jar (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.12.v20180830:*:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.12:20180830:*:*:*:*:*:*) : CVE-2019-10241, CVE-2019-10247
AnharMiah
All 5 comments
Hi @AnharMiah! The version of Jetty in your project is not the version of Jetty that Javalin depends on, you have some other dependency pulling in an old version.
tipsy
on 15 Jun 2020
hi @tipsy I'll double check, but as far as I'm aware it's only Javalin that is bringing that in, mind you I'm using Javalin 2.2.0 at the moment, I can upgrade to the latest but I'm not sure of the breaking changes between 2 and 3x
AnharMiah
on 15 Jun 2020
ok to close this now, I've setup a test project using newer v3.8.0 and re-ran the scan and its fine, so this only affects older version. I'll upgrade and refactor :+1:
AnharMiah
on 15 Jun 2020
Aha, that makes sense then. Let me know if you run into trouble.
tipsy
on 15 Jun 2020
thanks @tipsy , I've only found one breaking change which was basically changing the import from javalin.Context over to javalin.http.Content so a regex replace fixed that pretty quickly! re-ran all the tests and they have passed so seems to be all good :)
AnharMiah
on 15 Jun 2020
Related issues
MFernstrom
路
3Comments
jonerer
路
4Comments
FredDeschenes
路
5Comments
valtterip
路
5Comments
davioooh
路
3Comments
Most helpful comment
thanks @tipsy , I've only found one breaking change which was basically changing the import from
javalin.Contextover tojavalin.http.Contentso a regex replace fixed that pretty quickly! re-ran all the tests and they have passed so seems to be all good :)