This is an automated email from the ASF dual-hosted git repository.
cecemei pushed a commit to branch 37.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/37.0.0 by this push:
new db6aac2532d cve (#19384)
db6aac2532d is described below
commit db6aac2532d160e89f9b6df530c5d99123dd015c
Author: Cece Mei <[email protected]>
AuthorDate: Tue Apr 28 11:12:56 2026 -0700
cve (#19384)
---
owasp-dependency-check-suppressions.xml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index ac4599355fd..9204adf2a0d 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -146,6 +146,7 @@
<cve>CVE-2024-9823</cve> <!-- This is in hadoop's shadded jetty. no
version of hadoop has updated to fixed version. It is a jetty server vuln,
which should not be exploitable in hadoop client code -->
<cve>CVE-2025-27821</cve> <!-- native hdfs vulnerability -->
<cve>CVE-2025-5115</cve> <!-- netty issue in shaded hadoop -->
+ <cve>CVE-2026-5795</cve> <!-- This affects Jetty JASPIAuthenticator
(jetty-security module). The application only includes shaded jetty-io, which
does not contain the vulnerable classes. -->
</suppress>
<!-- those are false positives, no other tools report any of those CVEs in
the hadoop package -->
@@ -594,6 +595,16 @@
<cve>CVE-2023-26464</cve>
</suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-*-2.25.3.jar (all log4j artifacts)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-.*@.*$</packageUrl>
+ <cve>CVE-2026-34478</cve>
+ <cve>CVE-2026-34480</cve>
+ <cve>CVE-2026-34481</cve>
+ </suppress>
+
<suppress>
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0,
released in July 2018.
@@ -760,4 +771,13 @@
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc-.*@.*$</packageUrl>
<cve>CVE-2026-33186</cve> <!-- Only applicable to gRPC Go
(google.golang.org/grpc < 1.79.3), not gRPC Java -
https://nvd.nist.gov/vuln/detail/CVE-2026-33186 -->
</suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: pac4j-*-5.7.3.jar (all pac4j artifacts)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.pac4j/pac4j-.*@5\.7\.3$</packageUrl>
+ <cve>CVE-2026-40458</cve> <!-- CSRF vulnerability - not applicable as
Druid explicitly disables CSRF checks by using authorizer="none" in Pac4jFilter
for API/web service usage -->
+ <cve>CVE-2026-40459</cve> <!-- LDAP injection vulnerability - not
applicable as Druid uses OIDC authentication (pac4j-oidc), not LDAP
authentication -->
+ </suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
