gauravmehta26 Posted July 16, 2018 Share Posted July 16, 2018 net.sf.jasperreports.jasperreports from maven central has a dependency on itext-2.1.7 which inturn has a cendency on bouncycastle.bcprov-jdk14-138Having this dependency in jasperreports introduce CVE-2018-5382 which is a threat level 9.8 and very severe. Can you please let me know what are the alternatives for itand how do we in our application make sure that we dont become vulnarable because of this Link to comment Share on other sites More sharing options...
teodord Posted July 18, 2018 Share Posted July 18, 2018 Hi,What version of JasperReports Library are you using and how did you inspect the dependency tree?Recent versions of our product use a fork of iText called 2.1.7-js6, which you can find here:https://jaspersoft.jfrog.io/jaspersoft/list/third-party-ce-artifacts/com/lowagie/itext/2.1.7.js6/We upgraded to org.bouncycastle:bcprov-jdk15on:1.52 a while ago.Thanks,Teodor Link to comment Share on other sites More sharing options...
kurtis.fleming Posted February 13, 2019 Share Posted February 13, 2019 Hi, Has there been a fix for this vulnerability? Thanks,Kurt Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now