Giters

huaweicloud / huaweicloud-sdk-java-dis

Java SDK of DIS (Data Ingestion Service) for HUAWEI CLOUD

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Potential security vulnerability in the shared libraries which huaweiicloud-sdk-java-dis depends on. Can you help upgrade to patch versions?

HelenParr opened this issue · comments

commented

Hi, @tenji , @jzc928 , I'd like to report a vulnerability issue in com.huaweicloud.dis:huaweicloud-sdk-java-dis:1.3.15.

Issue Description

I noticed that com.huaweicloud.dis:huaweicloud-sdk-java-dis:1.3.15 directly depends on com.github.luben:zstd-jni:v1.4.3-1 in the pom. However, as shown in the following dependency graph, com.github.luben:zstd-jni:v1.4.3-1 sufferes from the vulnerability which the C library zstd(version:1.4.3) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

image (12)

Suggested Vulnerability Patch Versions

com.github.luben:zstd-jni:v1.4.9-1 (>=v1.4.9-1) has upgraded this vulnerable C library zstd to the patch version 1.4.9.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~
Best regards,
Helen Parr