[ https://issues.apache.org/jira/browse/NIFI-10748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike R updated NIFI-10748: -------------------------- Description: There are several versions of com.h2database used in NiFi, with some instances being 2.1.214, while others are 1.4.200. There are several CVE in the 1.4.200 program that are resolved in 2.1.214 that are all high or critical with scores above 8.1: [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221] [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392] [CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463] The last remaining instance is found at: nifi-h2/nifi-h2-database/pom.xml It looks like the remaining instances of h2 were updated in [NiFi-9585|[NIFI-9585 Upgraded H2 from 1.4 to 2.1.210 · apache/nifi@bcc8d03 (github.com)|https://github.com/apache/nifi/commit/bcc8d03314889e7d2d0724390059d0315efe2a34]] Here are the release notes for h2 database http://www.h2database.com/html/changelog.html was: There are several versions of com.h2database used in NiFi, with some instances being 2.1.214, while others are 1.4.200. There are several CVE in the 1.4.200 program that are resolved in 2.1.214 that are all high or critical with scores above 8.1: [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221] [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392] [CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463] The last remaining instance is found at: nifi-h2/nifi-h2-database/pom.xml It looks like the remaining instances of h2 were updated in [NiFi-9585|[NIFI-9585 Upgraded H2 from 1.4 to 2.1.210 · apache/nifi@bcc8d03 (github.com)|https://github.com/apache/nifi/commit/bcc8d03314889e7d2d0724390059d0315efe2a34]] > Upgrade com.h2database to 2.1.214 > --------------------------------- > > Key: NIFI-10748 > URL: https://issues.apache.org/jira/browse/NIFI-10748 > Project: Apache NiFi > Issue Type: Improvement > Affects Versions: 1.18.0 > Reporter: Mike R > Priority: Major > > There are several versions of com.h2database used in NiFi, with some > instances being 2.1.214, while others are 1.4.200. > There are several CVE in the 1.4.200 program that are resolved in 2.1.214 > that are all high or critical with scores above 8.1: > [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221] > [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392] > [CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463] > The last remaining instance is found at: nifi-h2/nifi-h2-database/pom.xml > It looks like the remaining instances of h2 were updated in > [NiFi-9585|[NIFI-9585 Upgraded H2 from 1.4 to 2.1.210 · apache/nifi@bcc8d03 > (github.com)|https://github.com/apache/nifi/commit/bcc8d03314889e7d2d0724390059d0315efe2a34]] > > Here are the release notes for h2 database > http://www.h2database.com/html/changelog.html -- This message was sent by Atlassian Jira (v8.20.10#820010)