There is a security vulnerability in recent versions of jetty: https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8
There seems to be no spring-boot-jetty-starter version yet with an updated jetty dependency that is not affected by it.
Will there be a spring-boot-jetty-starter hotfix version release for this?
The jetty project points out possible workarounds such as disabling gzip inflation of incoming requests. Unfortunately I can't find whether this affects Spring MVC at all and if so where I could configure it. Any pointers are very much appreciated! :slightly_smiling_face:
Comment From: wilkinsona
Please take a moment to search for existing issues before raising a new one. We've already upgraded to 9.4.35 in each of our three active maintenance branches. They are scheduled for release on Thursday. You can use the jetty.version property to override the version of Jetty in the meantime.
If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
Comment From: s-spindler
Sorry, my bad. I looked only for the CVE and not for the fix version :facepalm: I commented the CVE number on the issues in case someone else does the same.