Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2596

Latest resteasy-spring-boot-starter still pulling in vulnerable resteasy versions

    Details

    • Type: Quality Risk
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: spring-boot-starter-3.4.0.Final
    • Fix Version/s: None
    • Component/s: Spring / Spring Boot
    • Labels:
      None

      Description

      Hello!

      First of all, thank you for providing this amazing library and the effort you put into it.

      Since the weekend, we get some security warnings from the OWASP scanner in our builds for

      resteasy-spring-boot-starter-3.4.0.Final.jar: CVE-2020-1695
      resteasy-jaxrs-3.11.2.Final.jar: CVE-2020-1695

      It looks like version 3.4.0 of the starter itself has been marked as unsafe and it also sadly still pulls in the 3.11.2 versions of the resteasy libraries.

      Since those security issues are ranked quite highly, will there be a release of a "3.4.1" version that pulls in the safe 3.12.0.Final resteasy libraries?

      I absolutely thank you for your efforts in advance!

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                y.mortier Yannick Mortier
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: