Undertow version containing CVEs

[Pattern-Projects]

Hello,
The latest version of json-schema-validator is inheriting CVEs from the version of undertow in use.
Seen here: https://mvnrepository.com/artifact/com.networknt/json-schema-validator/1.5.1
According to comments in the code, higher versions of undertow are not compatible with java 8.
<version.undertow>2.2.33.Final</version.undertow> <!-- 2.3.x and above is not Java 8 compatible -->
Are there plans to deal with this in any way?

Regards,
Pattern

[justin-tay]

• Undertow is a test dependency so this vulnerability won't affect you.
• Since this is a dependency and not an issue with the library itself, you could always manage the dependency version yourself in your pom.
• If the issue is with mvnrepository flagging it out, this can't be easily solved. Those 3 dependencies are under reevaluation in NIST and hence there are no longer listed as vulnerable cpes as the list of vulnerable configurations aren't available. https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:redhat:undertow:2.2.33:-:*:*:*:*:*:*.
• I shall send a PR to bump this to 2.2.35 but you shouldn't expect any changes in mvnrepository as it currently lists 2.2.35 with direct vulnerabilities. https://mvnrepository.com/artifact/io.undertow/undertow-core/2.2.35.Final
• CVE-2024-3653 Fixed in 2.2.34.
• CVE-2024-5971 Fixed in 2.2.34.
• CVE-2024-6162 Already fixed in 2.2.33

[Pattern-Projects]

Thank you for the response @justin-tay, it clarifies things for me. We can manage undertow ourselves in the pom as you described.

[Pattern-Projects]

Closing