Norman created OLINGO-1493:
------------------------------
Summary: Security Vulnerabilities in direct dependency
netty-codec-http
Key: OLINGO-1493
URL: https://issues.apache.org/jira/browse/OLINGO-1493
Project: Olingo
Issue Type: Bug
Components: odata4-server
Affects Versions: (Java) V4 4.7.1
Reporter: Norman
Dear Olingo Community,
odata-server-api and odata-server-core 4.7.1 have a direct dependency on
io.netty *netty-codec-http 4.1.43.Final*
This version has known security vulnerabilities ranked with medium and high
CVSS score.
See:
https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 -> fixed in 4.1.53Final or higher
https://snyk.io/vuln/SNYK-JAVA-IONETTY-543669 -> fixed in 4.1.44.Final or higher
https://snyk.io/vuln/SNYK-JAVA-IONETTY-543490 -> fixed in 4.1.44.Final or higher
Upgrading the dependency to 4.1.53Final would fix the issue.
P.S. com.fasterxml.jackson.core » jackson-core 2.10.0 is outdated, too and
could be upgraded to 2.11.3
Additional Links:
https://mvnrepository.com/artifact/org.apache.olingo/odata-server-core/4.7.1
https://mvnrepository.com/artifact/org.apache.olingo/odata-server-api/4.7.1
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
