[Bug] Infinispan Client Hotrod has a vulnerability CVE-2023-4586
nikhil-ctds opened this issue · comments
nikhil-ctds commented
Search before asking
- I searched in the issues and found nothing similar.
Read release policy
- I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.
Version
Version - 3.3.0-SNAPSHOT
Branch - master
Minimal reproduce step
Found vulnerability online.
What did you expect to see?
No Vulnerabilites
What did you see instead?
Found a High Vulnerability on org.infinispan:infinispan-client-hotrod version 12.1.6.Final
CVE-2023-4586
Anything else?
Pulsar doesn't have a direct dependency on Infinispan-client-hotrod.
Pulsar has a dependency on debezium-oracle connector
<groupId>io.debezium</groupId>
<artifactId>debezium-connector-oracle</artifactId>
<version>1.9.7.Final</version>
Which in-turn has a dependency on infinispan-client-hotrod@12.1.6.Final
<groupId>org.infinispan</groupId>
<artifactId>infinispan-client-hotrod</artifactId>
<version>12.1.6.Final</version>
Are you willing to submit a PR?
- I'm willing to submit a PR!