Giters

apache / pulsar

Apache Pulsar - distributed pub-sub messaging system

Home Page:https://pulsar.apache.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug] Infinispan Client Hotrod has a vulnerability CVE-2023-4586

nikhil-ctds opened this issue · comments

commented

Search before asking

  • I searched in the issues and found nothing similar.

Read release policy

  • I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

Version - 3.3.0-SNAPSHOT
Branch - master

Minimal reproduce step

Found vulnerability online.

What did you expect to see?

No Vulnerabilites

What did you see instead?

Found a High Vulnerability on org.infinispan:infinispan-client-hotrod version 12.1.6.Final
CVE-2023-4586

Anything else?

Pulsar doesn't have a direct dependency on Infinispan-client-hotrod.
Pulsar has a dependency on debezium-oracle connector

<groupId>io.debezium</groupId>
<artifactId>debezium-connector-oracle</artifactId>
<version>1.9.7.Final</version>

Which in-turn has a dependency on infinispan-client-hotrod@12.1.6.Final

<groupId>org.infinispan</groupId>
<artifactId>infinispan-client-hotrod</artifactId>
<version>12.1.6.Final</version>

Are you willing to submit a PR?

  • I'm willing to submit a PR!