There are already tickets about this, IGNITE-14845 <https://issues.apache.org/jira/browse/IGNITE-14845> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801 <https://issues.apache.org/jira/browse/IGNITE-10801>).
> On 14 Jan 2022, at 09:22, Lo, Marcus <marcus...@citi.com> wrote: > > Hi, > > The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject > to the following vulnerabilities. Is there any plan to update to a newer > version? Given the currently heightened security awareness, it would be very > difficult to make the case to use the current version of Ignite due to > corporate security policy. Thanks. > > CVE-2021-23463 (BDSA-2021-3744) > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463> > > CVE-2018-10054 (BDSA-2018-1048) > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054> > > BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via > Unsafe JNDI Class Loading Functionality) > https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 > > <https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6> > https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ > > <https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/> > > CVE-2018-14335 (BDSA-2018-2507) > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335> > > Regards, > Marcus
