jib icon indicating copy to clipboard operation
jib copied to clipboard
verified publisher icon GoogleContainerTools

Upgrade tomcat version to avoid vulnerability CVE-2025-24813

Open ichwansh03 opened this issue 8 months ago • 2 comments

Environment:

  • Jib version: 3.4.5
  • Build tool: Maven:3.9.9
  • OS: M1 Sequoia:15.3.2

Description of the issue: I got vulnerability issue when build docker image to docker desktop, this issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. In this jib version, tomcat still used in: maven / org.apache.tomcat.embed/tomcat-embed-core / 10.1.34

Expected behavior: upgrade to version 11.0.3, 10.1.35 or 9.0.99,

Additional Information:

ichwansh03 avatar Apr 01 '25 06:04 ichwansh03

@ichwansh03 can you share your exact command you are using to invoke jib? Are you specifying a jib.from.image, currently we are using eclipse-temurin as our default base image and does not include tomcat.

ldetmer avatar Jul 15 '25 18:07 ldetmer

@ichwansh03 Friendly ping on this. We don't define tomcat as the default base image (See https://github.com/GoogleContainerTools/jib/blob/master/docs/default_base_image.md). Would it be possible for you to share your jib-maven-plugin setup so that we can get a bit more context?

mpeddada1 avatar Sep 29 '25 19:09 mpeddada1