Re: [jetty-users] Does CVE-2025-24813 affect org.mortbay.jasper:apache-j

[Joakim Erdfelt <joakim.erdfelt@xxxxxxxxx>]

That CVE impacts the Tomcat DefaultServlet.

And only when you set the Tomcat DefaultServlet to readonly="false".

Neither of which impact the Apache Jasper project or classes.

- Joakim

On Fri, Apr 4, 2025 at 4:43 AM Guus der Kinderen via jetty-users <jetty-users@xxxxxxxxxxx> wrote:

Hi!

Recently, a CVE was raised against apache-jsp: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

The affected versions are reported to be:

• Apache Tomcat 11.0.0-M1 to 11.0.2
• Apache Tomcat 10.1.0-M1 to 10.1.34
• Apache Tomcat 9.0.0.M1 to 9.0.98

Jetty provides what I assume to be a variant of this library in org.mortbay.jasper:apache-jsp. That is a transitive dependency of, among other things, org.eclipse.jetty.ee8:jetty-ee8-apache-jsp

The latest version of jetty-ee8-apache-jsp to date is 12.0.18. It depends on org.mortbay.jasper:apache-jsp version 9.0.96

I do notice that org.mortbay.jasper:apache-jsp version 9.0.102 exists. It does not (yet?) seem to be used in a newer version of jetty-ee8-apache-jsp

My question is: does org.mortbay.jasper:apache-jsp prior to v9.0.99 suffer from the same CVE? 

If so: is that CVE resolved in org.mortbay.jasper:apache-jsp v9.0.102?

If so, is it safe to combine recent versions of jetty-ee8-apache-jsp with org.mortbay.jasper:apache-jsp version 9.0.102?

Thanks!

Kind regards,

  Guus

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users