It appears that QuickBuild uses jetty version 9.2.25.v20180606, which has some known security vulnerabilities, listed on:
Jetty Security Reports | The Eclipse Foundation
The Eclipse Foundation - home to a global community, the Eclipse IDE, Jakarta EE and over 415 open source projects, including runtimes, tools and frameworks.
www.eclipse.orgWould it be possible to update the version of jetty used by QuickBuild to a version that contains fixes for the high severity CVEs?
It appears that jetty 9.4.39, 10.0.2, 11.0.2 all have a fix for the most recent high severity CVE listed in the above link.
In QuickBuild-10.0.41, I see the following files on the server and the nodes:
/framework/configuration/org.eclipse.osgi/lib/jetty-continuation-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-http-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-io-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-security-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-server-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-servlet-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-servlets-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-util-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-xml-9.2.25.v20180606.jar
- solved #3
- replies 4
- views 531
- stars 0