[ https://issues.apache.org/jira/browse/NIFI-10149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557026#comment-17557026 ]
David Handermann commented on NIFI-10149: ----------------------------------------- [~msr1716], as mentioned on the associated pull request, jetty-schemas 5.2 is the latest version available, and it is not vulnerable to any issues associated with Jetty 9.4. In addition, the Apache JSP library is a repackaged library for Jetty and does not have the vulnerabilities associated with Apache Tomcat server, as described in the dependency check suppression configuration: https://github.com/apache/nifi/blob/main/nifi-dependency-check-maven/suppressions.xml#L73 > Update Apache JSP To 11.0.9 > --------------------------- > > Key: NIFI-10149 > URL: https://issues.apache.org/jira/browse/NIFI-10149 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.16.1, 1.16.2, 1.16.3 > Reporter: Mike R > Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Looking at the Maven dependencies, it was seen that Apache JSP 9.4 uses a > vulnerable version of > [jetty-schemas|https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain/jetty-schemas], > which is 5.2. Updating this specific version to 11.0.9 of Apache JSP, will > remove this dependency -- This message was sent by Atlassian Jira (v8.20.7#820007)