Giters

apache / hudi

Upserts, Deletes And Incremental Processing on Big Data.

Home Page:https://hudi.apache.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[SUPPORT] CVE problems in latest 0.14.1

Smith-Cruise opened this issue · comments

commented

CVE jars were introduced by hudi-common(in hbase-server and hbase-client transitive dependency)
Could you let me know if the community plans to resolve these CVE dependencies?

lib/hbase-protocol-shaded-2.4.18.jar
====================================
Total: 49 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 26, CRITICAL: 20)

+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                                      TITLE                                      |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-15095   | CRITICAL | 2.4.0             | 2.9.4, 2.8.11                  | jackson-databind: Unsafe                                                        |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+

lib/htrace-core4-4.2.0-incubating.jar
=====================================
Total: 49 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 26, CRITICAL: 20)

+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                                      TITLE                                      |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-15095   | CRITICAL | 2.4.0             | 2.9.4, 2.8.11                  | jackson-databind: Unsafe                                                        |
|                                             |                  |          |                   |                                | deserialization due to                                                          |
|                                             |                  |          |                   |                                | incomplete black list (incomplete                                               |
|                                             |                  |          |                   |                                | fix for CVE-2017-7525)...                                                       |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-15095                                           |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+