[SUPPORT] CVE problems in latest 0.14.1
Smith-Cruise opened this issue · comments
Smith Cruise commented
CVE jars were introduced by hudi-common
(in hbase-server
and hbase-client
transitive dependency)
Could you let me know if the community plans to resolve these CVE dependencies?
lib/hbase-protocol-shaded-2.4.18.jar
====================================
Total: 49 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 26, CRITICAL: 20)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-15095 | CRITICAL | 2.4.0 | 2.9.4, 2.8.11 | jackson-databind: Unsafe |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
lib/htrace-core4-4.2.0-incubating.jar
=====================================
Total: 49 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 26, CRITICAL: 20)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-15095 | CRITICAL | 2.4.0 | 2.9.4, 2.8.11 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-7525)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+