You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
— Use After Free [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422] in com.github.jnr:jnr-posix@3.0.23
introduced by unknown:/opt/.venv/lib/python3.11/site-packages/h2o/backend/bin/h2o.jar@unknown > com.github.jnr:jnr-posix@3.0.23
It looks that com.github.jnr:jnr-posix dependency is brought to h2o.jar via org.python:jython. Although gradle doesn't see the dependency:
./gradlew :h2o-assemblies:main:dependencyInsight --dependency jnr-posix --configuration runtimeClasspath
> Task :h2o-assemblies:main:dependencyInsight
No dependencies matching given input were found in configuration ':h2o-assemblies:main:runtimeClasspath'
jnr-posix seems to be jython dependency. From META-INF/maven/com.github.jnr/jnr-posix/pom.properties inside Jython jar:
#Generated by Maven
#Thu Nov 12 15:35:48 CST 2015
version=3.0.23
groupId=com.github.jnr
artifactId=jnr-posix
The text was updated successfully, but these errors were encountered:
…-posix (overriding org.python.core.imp class from Jython with custom changes, search for CUSTOM CHANGE) (#15866)
* [GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix
* Override jython class
* Add Jython version check
Support ticket: https://support.h2o.ai/a/tickets/106681
Reported vulnerability:
It looks that
com.github.jnr:jnr-posix
dependency is brought to h2o.jar viaorg.python:jython
. Although gradle doesn't see the dependency:jnr-posix seems to be jython dependency. From
META-INF/maven/com.github.jnr/jnr-posix/pom.properties
inside Jython jar:The text was updated successfully, but these errors were encountered: