Critical Vulnerabilities identified in librdkafka
glansbury opened this issue · comments
Description
Two CVE's with cvss score of 9.8 identified in this library, please help update.
curl 7.86.0
GHSA-75qm-2q4j-qx6g
https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.libcurl#L48
zlib 1.2.13
GHSA-mq29-j5xf-cjwr
https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.zlib#L45
How to reproduce
Review source code and links provided. Use any SBOM vulnerability scanner to validate that the libraries are being linked into build.
Initially I discovered this in confluent-kafka-go, however, I believe the vulnerability is coming from the C base library librdkafka
Checklist
- librdkafka version:
v2.3.0
- librdkafka client configuration:
N/A
- Operating system:
linux (any base distro)
- Provide logs - N/A. links to source code and CVSS all that is required
- Provide broker log excerpts : N/A
- Critical issue: 9.8 CVSS vulnerabilities.
Related issue #4653
Another related issue in dotnet lib
Thank you for the report. We are in the process of resolving this issue.
Resolved in #4706