CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

https://cve.mitre.org/

In our use of the RoR plugin, our scanning of the plugin when part of a Docker image detected the following CVE vulnerabilities:

HI @esmierciakSR what version of ES did you scan? You know, netty and jackson are ES dependencies and we cannot do much with it

This was ES 7.9.1, packaged with the corresponding RoR for 7.9.1

The fix for most of the vulnerabilities would be to upgrade netty and jackson libraries to their latest version. For instance the latest version of jackson is 2.11.2 I think.

ok, seems that we can upgrade some of netty and jackson dependencies. Will let you know when it's done

Just checking in on this. Any prediction as to when there will be a release of RoR that includes these dependency updates?

@esmierciakSR it is going to be a part of ROR 1.25.0. We release once a month. Next release will be in November. But when it's ready, I'll send you a pre-build of 1.25.0 to test.

@esmierciakSR it is going to be a part of ROR 1.25.0. We release once a month. Next release will be in November. But when it's ready, I'll send you a pre-build of 1.25.0 to test.

Thanks for the update. Look forward to it.

@esmierciakSR could you please try this pre-version or ROR?

https://readonlyrest-data.s3.amazonaws.com/build/1.25.0-pre6/readonlyrest-1.25.0-pre6_es7.9.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20201029/eu-west-1/s3/aws4_request&X-Amz-Date=20201029T192628Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=bf9c6808b8259b780a186a572a64bf1911b6838f7a8de13822cbe9da0d4912e1

same issue reported here: https://forum.readonlyrest.com/t/update-of-jackson-databind-2-9-6-jar/1728/3
and confirmed that it's fixed.