Jump to content
Changes to the Jaspersoft community edition download ×

Security Finding: CVE-2018-5382 JasperReports


gauravmehta26

Recommended Posts

net.sf.jasperreports.jasperreports from maven central has a dependency on itext-2.1.7 which inturn has a cendency on bouncycastle.bcprov-jdk14-138

Having this dependency in jasperreports introduce CVE-2018-5382 which is a threat level 9.8 and very severe. Can you please let me know what are the alternatives for it

and how do we in our application make sure that we dont become vulnarable because of this

Link to comment
Share on other sites

  • Replies 2
  • Created
  • Last Reply

Top Posters In This Topic

Hi,

What version of JasperReports Library are you using and how did you inspect the dependency tree?

Recent versions of our product use a fork of iText called 2.1.7-js6, which you can find here:

https://jaspersoft.jfrog.io/jaspersoft/list/third-party-ce-artifacts/com/lowagie/itext/2.1.7.js6/

We upgraded to org.bouncycastle:bcprov-jdk15on:1.52 a while ago.

Thanks,

Teodor

Link to comment
Share on other sites

  • 6 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...