[
https://issues.apache.org/jira/browse/NIFI-10149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557026#comment-17557026
]
David Handermann commented on NIFI-10149:
-----------------------------------------
[~msr1716], as mentioned on the associated pull request, jetty-schemas 5.2 is
the latest version available, and it is not vulnerable to any issues associated
with Jetty 9.4.
In addition, the Apache JSP library is a repackaged library for Jetty and does
not have the vulnerabilities associated with Apache Tomcat server, as described
in the dependency check suppression configuration:
https://github.com/apache/nifi/blob/main/nifi-dependency-check-maven/suppressions.xml#L73
> Update Apache JSP To 11.0.9
> ---------------------------
>
> Key: NIFI-10149
> URL: https://issues.apache.org/jira/browse/NIFI-10149
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.16.1, 1.16.2, 1.16.3
> Reporter: Mike R
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Looking at the Maven dependencies, it was seen that Apache JSP 9.4 uses a
> vulnerable version of
> [jetty-schemas|https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain/jetty-schemas],
> which is 5.2. Updating this specific version to 11.0.9 of Apache JSP, will
> remove this dependency
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
