Comments (4)
joschi
commented on June 6, 2024
5
Note that a successful exploitation of CVE-2023-6378/CVE-2023-6481 requires that logback-receiver component is enabled and also reachable by the attacker.
Source: https://logback.qos.ch/news.html#1.3.14
Dropwizard isn't using this Logback component, so I'd argue it's not exactly high on our priority list.
This being said, with so many useless "security" scanners on the market and developers having to obey their false positives and shitty evaluations, I guess we'll carve another release of Dropwizard 2.1.x, 3.0.x, and 4.0.x. 🙄
from dropwizard.
christopher-cudennec
commented on June 6, 2024
1
Fixed in v2.1.11. Thanks a lot! 🌻
from dropwizard.
ahoeing
commented on June 6, 2024
I also vote for that feature ;)
from dropwizard.
christopher-cudennec
commented on June 6, 2024
Just mentioning that Spring Boot will not update Logback for the same reasons: spring-projects/spring-boot#38643
from dropwizard.
Related Issues (20)
- Is Dropwizard affected by CVE-2023-44487? HOT 3
- Vulnerability issues with dependencies in dropwizard 4.0.1 HOT 1
- Vulnerability issues with dependencies in dropwizard 4.0.1 HOT 1
- IlligalAccesException : module com.fasterxml.jackson.module.blackbird does not read module *** HOT 12
- Incorrect javadocs for io.dropwizard.logging.common.AppenderFactory
- Dropwizard 4.0.3 not logging request logs HOT 2
- AWS Serverless Example HOT 1
- Dropwizard 4.0.2 + Hibernate + ContainerResponseFilter with NameBinding HOT 3
- Jersey client 2.21 doesnt support Transfer-encoding: chunked, is there any workaround?
- Breaking change in a version between 4.0.1 and 4.0.4 HOT 3
- DropwizardJettyServerAdapter in DropWizard3 causing exception when there are multiple HttpHeaders HOT 9
- NPE in tests when a factory is used to inject a value to a resource method parameter HOT 2
- Managed virtual thread pool HOT 2
- Deserialization failures due to Afterburner HOT 1
- Server starts and stops immediately when both enableVirtualThreads and enableAdminVirtualThreads are set to true HOT 5
- delay between tests that use DropwizardExtensionsSupport HOT 2
- Logging request and response body with RequestLogFactory HOT 2
- Dependency Injection issue in AuthFilter HOT 4
- Add cache support for stale-while-revalidate HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dropwizard.