Is jersey2.36 affected by vulnerability CVE-2022-22965? #5316
Comments
|
Please understand that versions of Spring in Jersey are our compile-time dependencies. It is perfectly fine to use later versions of Spring in your runtime environment. I assume you are aware that for your compile time, you may exclude Spring from Jersey dependencies, and bring a new Spring dependency to your pom file. Also, later versions of Jersey use later versions of Spring, the latest 2.39.1 uses Spring 4.3.30.RELEASE, and 5.3.22. But any other compatible version of Spring can be used there in the same way. |
|
Hi, I understand that you can exclude Spring from Jersey dependencies during compilation and bring new Spring dependencies to the pom file. However, many users do not know this risk and do not actively change the Spring of an earlier version to a later version. |
|
There is no newer version of Spring 4 than Spring 4.3.30.RELEASE. If there is a CVE in it, Jersey hardly can do anything about it. Version 4 is deprecated and the users who use it need to understand that. |
Hello!
For details about the CVE-2022-22965 vulnerability, visit Spring Security Advisories at https://spring.io/security/cve-2022-22965.
According to the CVE-2022-22965 vulnerability details, Spring products affected by the CVE-2022-22965 vulnerability are as follows:
· Spring Framework [5.3. 0, 5.3. 17]、[5.2. 0, 5.2. 19] and older versions
Previously, only <spring5.version>5.1.5.RELEASE</spring5.version> was replaced with <spring5.version>5.3.18</spring5.version> in process # 5032.However, no changes have been made to the <spring4.version>4.3.20.RELEASE</spring4.version>. In Jersey 2.36, modules such as ext and examples depend on spring-framework 4.3.20.RELEASE, which is affected by the CVE-2022-22965 vulnerability. Is Jersey 2.36 affected by this vulnerability? Do we need to do something to fix this? Thanks!
The text was updated successfully, but these errors were encountered: