Groups
Sign in
Groups
dropwizard-dev
Conversations
About
Send feedback
Help
Vulnerability in dropwizard-client
28 views
Skip to first unread message
Manuel Baden
unread,
Apr 24, 2024, 8:38:05 AM
Apr 24
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dropwizard-dev
Hello there,
i am using dropwizard (version 4.0.7) and when i run a dependency check it shows the following (transitive) vulnerability:
metrics-httpclient5-4.2.25.jar (pkg:maven/io.dropwizard.metrics/metrics-h...@4.2.25, cpe:2.3:a:apache:httpclient:4.2.25:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2020-13956
Is this problem getting fixed?
Thank you for your help
Manuel
Jochen Schalanda
unread,
Apr 29, 2024, 6:23:04 AM
Apr 29
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dropwiz...@googlegroups.com
Hi Manuel,
Your dependency check is taking a sh*t on you and your valuable time. I would ditch it for something actually working.
For the record, Dropwizard 4.0.7 is not using any of the vulnerable versions of Apache HttpClient.
https://github.com/dropwizard/dropwizard/blob/v4.0.7/dropwizard-dependencies/pom.xml#L37-L38
The message mentions "metrics-httpclient5" which is an entirely different thing *and also not vulnerable*.
https://github.com/dropwizard/metrics/blob/v4.2.25/metrics-httpclient5/pom.xml#L21
Cheers,
Jochen
Reply all
Reply to author
Forward
0 new messages