Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.8.20] CVE-2023-44487 in akka-http-core #12503

Closed
Captain1653 opened this issue Mar 29, 2024 · 1 comment
Closed

[2.8.20] CVE-2023-44487 in akka-http-core #12503

Captain1653 opened this issue Mar 29, 2024 · 1 comment

Comments

@Captain1653
Copy link
Contributor

Snyk shows problem with akka-http-core in 2.8.20 - high security vulnerability
https://security.snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-6483264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Fix is available in akka-http-core 10.5.3 or higher.

Is it possible to release 2.8.22 and fix this vulnerability?
@mkurz
Copy link
Member

mkurz commented Apr 9, 2024

We will not upgrade akka-http beyond version 10.2.x in Play 2.9. If you are using Play 2.9 you can upgrade to latest akka and akka-http versions like describedin our documentation: https://www.playframework.com/documentation/2.9.x/ScalaAkka#Updating-Akka-version (be aware however latest versions of akka/akka-http make use of the BSL).

Also I want to mention CVE-2023-44487 only affects you if you have HTTP2 enabled in you Play application (which by default is disabled).

@mkurz mkurz closed this as completed Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkurz @Captain1653