[jetty-users] CVE's Observed in OpenID Jar from Jetty 9.4.31

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] CVE's Observed in OpenID Jar from Jetty 9.4.31

From: Wang Yicheng <wangyicheng1209@xxxxxxxxx>
Date: Tue, 20 Oct 2020 10:52:10 -0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi all,

We're using Jetty as the web server in our project. My team hold regular security scans on all 3rd party libs.The latest scan reported 2 CVE's (CVE-2007-1651 & CVE-2007-1652) were found in OpenID jar, carried by Jetty 9.4.31. However, these two CVE's were reported back in 2007. Though it's hard to believe the vulnerabilities are not addressed today, could anyone help check if the two reported issues still exist in the latest version? Many thanks!

Best,

Yicheng

Follow-Ups:
- Re: [jetty-users] CVE's Observed in OpenID Jar from Jetty 9.4.31
  - From: Travis Spencer

Prev by Date: Re: [jetty-users] Is it necessary to close session in WebSocketConnectionListener.onWebSocketError ?
Next by Date: Re: [jetty-users] CVE's Observed in OpenID Jar from Jetty 9.4.31
Previous by thread: [jetty-users] Is it necessary to close session in WebSocketConnectionListener.onWebSocketError ?
Next by thread: Re: [jetty-users] CVE's Observed in OpenID Jar from Jetty 9.4.31
Index(es):
- Date
- Thread

Breadcrumbs