Vulnerability in dropwizard-client
28 views
Skip to first unread message
Manuel Baden
Apr 24, 2024, 8:38:05 AMApr 24
to dropwizard-dev
Hello there,
i am using dropwizard (version 4.0.7) and when i run a dependency check it shows the following (transitive) vulnerability:
metrics-httpclient5-4.2.25.jar (pkg:maven/io.dropwizard.metrics/metrics-h...@4.2.25, cpe:2.3:a:apache:httpclient:4.2.25:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2020-13956
Is this problem getting fixed?
Thank you for your help
Manuel
i am using dropwizard (version 4.0.7) and when i run a dependency check it shows the following (transitive) vulnerability:
metrics-httpclient5-4.2.25.jar (pkg:maven/io.dropwizard.metrics/metrics-h...@4.2.25, cpe:2.3:a:apache:httpclient:4.2.25:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2020-13956
Is this problem getting fixed?
Thank you for your help
Manuel
Jochen Schalanda
Apr 29, 2024, 6:23:04 AMApr 29
to dropwiz...@googlegroups.com
Hi Manuel,
Your dependency check is taking a sh*t on you and your valuable time. I would ditch it for something actually working.
For the record, Dropwizard 4.0.7 is not using any of the vulnerable versions of Apache HttpClient.
The message mentions "metrics-httpclient5" which is an entirely different thing *and also not vulnerable*.
Cheers,
Jochen
Reply all
Reply to author
Forward
0 new messages