[jira] [Commented] (ZOOKEEPER-4868) Bump commons-io library to 2.14.0

Tue, 08 Oct 2024 18:10:39 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17887710#comment-17887710
 ] 

Zili Chen commented on ZOOKEEPER-4868:
--------------------------------------

FYI, ZK isn't affected by this CVE. But bump version to reduce fiction is 
valuable so we bump it and make scanners happy.

> Bump commons-io library to 2.14.0
> ---------------------------------
>
>                 Key: ZOOKEEPER-4868
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4868
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: server
>    Affects Versions: 3.8.4, 3.9.2
>            Reporter: Jota Martos
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.10.0, 3.8.5, 3.9.3
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> CVE-2024-47554 is fixed in that version of the library. Could please you 
> confirm whether Zookeeper is affected by this vulnerability and if so, are 
> there any plans to update the dependency?
> {code}
> Java (jar)
> ==========
> Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
> ┌───────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
> │                    Library                    │ Vulnerability  │ Severity │ 
> Status │ Installed Version │ Fixed Version │                          Title   
>                        │
> ├───────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
> │ commons-io:commons-io (commons-io-2.11.0.jar) │ CVE-2024-47554 │ HIGH     │ 
> fixed  │ 2.11.0            │ 2.14.0        │ apache-commons-io: Possible 
> denial of service attack on │
> │                                               │                │          │ 
>        │                   │               │ untrusted input to 
> XmlStreamReader                      │
> │                                               │                │          │ 
>        │                   │               │ 
> https://avd.aquasec.com/nvd/cve-2024-47554              │
> └───────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘
>  
> {code}
> h4. Steps to reproduce
> {code}
> trivy image zookeeper:3.9
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to