Tomcat 9.0.39 has vulnerabilities ( ref. https://nvd.nist.gov/vuln/detail/CVE-2020-13943 ) . In my scenario i' usign spring-boot framewrork application with embedded tomcat app server, vulnerability affected those dependencies:
-
tomcat-embed-core-9.0.39.jar
-
tomcat-embed-jasper-9.0.39.jar
-
tomcat-embed-websocket-9.0.39.jar
When does spring-boot framework will supports Tomcat 10 ?
Comment From: legart
It is fixed in tomcat 9.0.38? http://tomcat.apache.org/security-9.html
Comment From: wilkinsona
@edensys Please don't spam the issue tracker by opening issues and making comments with identical content. It wastes the time of everyone watching the repository.
@legart Thanks. You're absolutely right that 9.0.39 isn't affected as the problem was fixed in 9.0.38.
Comment From: edensys
@edensys Please don't spam the issue tracker by opening issues and making comments with identical content. It wastes the time of everyone watching the repository.
@legart Thanks. You're absolutely right that 9.0.39 isn't affected as the problem was fixed in 9.0.38.
sorry @wilkinsona for duplicate issues. dependency check owasp scanner produce report that inform me about tomcat 9.0.39 is vulnerable with reference to CVE-2020-13943 . Does it mean that owasp dependency check gave me a false positive ?
Comment From: edensys
owasp dependency check maven ref. https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html
Comment From: wilkinsona
Does it mean that owasp dependency check gave me a false positive?
Yes.
If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
Comment From: Abhilashkongara
Hi, When can we expect Tomcat 10 support on spring boot framework any tentative date!