[jira] [Updated] (NIFI-10084) Upgrade commons-httpclient

Sun, 05 Jun 2022 05:55:06 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-10084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mike R updated NIFI-10084:
--------------------------
    Description: 
It looks like commons-httpclient-3.1, which is found at 
nifi-toolkit-current/lib/commons-httpclient-3.1.jar is vulnerable to a CVE and 
is end of life. The CVE is [https://nvd.nist.gov/vuln/detail/CVE-2012-5783]

There is also CVE 2020-13956

When I look for updates, it looks like the end of life was 16 December 2007, 
with the newer module being [Maven Repository: org.apache.httpcomponents » 
httpclient 
(mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]

More information can be found from [the apache 
website|https://hc.apache.org/downloads.cgi]

The vulnerable component is found at 
/nifi-toolkit/lib/commons-httpclient-3.1.jar.

 

  was:
It looks like commons-httpclient-3.1, which is found at 
nifi-toolkit-current/lib/commons-httpclient-3.1.jar is vulnerable to a CVE and 
is end of life. The CVE is https://nvd.nist.gov/vuln/detail/CVE-2012-5783

When I look for updates, it looks like the end of life was 16 December 2007, 
with the newer module being [Maven Repository: org.apache.httpcomponents » 
httpclient 
(mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]

Version 4.5.13 of the httpclient will resolve the CVE 


> Upgrade commons-httpclient
> --------------------------
>
>                 Key: NIFI-10084
>                 URL: https://issues.apache.org/jira/browse/NIFI-10084
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Mike R
>            Priority: Major
>
> It looks like commons-httpclient-3.1, which is found at 
> nifi-toolkit-current/lib/commons-httpclient-3.1.jar is vulnerable to a CVE 
> and is end of life. The CVE is 
> [https://nvd.nist.gov/vuln/detail/CVE-2012-5783]
> There is also CVE 2020-13956
> When I look for updates, it looks like the end of life was 16 December 2007, 
> with the newer module being [Maven Repository: org.apache.httpcomponents » 
> httpclient 
> (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]
> More information can be found from [the apache 
> website|https://hc.apache.org/downloads.cgi]
> The vulnerable component is found at 
> /nifi-toolkit/lib/commons-httpclient-3.1.jar.
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to