[
https://issues.apache.org/jira/browse/NIFI-10333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577425#comment-17577425
]
David Handermann commented on NIFI-10333:
-----------------------------------------
[~msr1716], the vulnerabilities listed apply to various database vendor drivers
and do not apply to HikariCP.
HikariCP 5.0 requires Java 11, and for now NiFi still supports Java 8, so 4.0.3
is the latest version.
> Hikari CP 4.0.3 to 5.0.1
> ------------------------
>
> Key: NIFI-10333
> URL: https://issues.apache.org/jira/browse/NIFI-10333
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.17.0, 1.16.2, 1.16.3
> Reporter: Mike R
> Priority: Major
>
> The version of HikariCP that NiFi is using is version Hikari CP 4.0.3. It is
> vulnerable to the following 8 vulnerabilities due to the dependencies:
> [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
> [CVE-2022-21724|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724]
> [CVE-2021-45105|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]
> [CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]
> [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]
> [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]
> [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
> [CVE-2020-25638|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638]
> In version 5.0.1, it is only vulnerable to 2 CVEs.
> [CVE-2022-21724|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724]
> [CVE-2020-25638|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
