Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8908 in Transitive Dependency #99

Closed
jburgess opened this issue Nov 17, 2023 · 3 comments
Closed

CVE-2020-8908 in Transitive Dependency #99

jburgess opened this issue Nov 17, 2023 · 3 comments
Assignees
@mguenther
Labels
dependencies Pull requests that update a dependency file
Milestone
3.5.1

Comments

@jburgess
Copy link

First, thaks for a fantastic method to test Kafka in unit tests. Very helpful!

It looks like this CVE is associated with the Guava transient dependency.

org.apache.kafka:connect-runtime:3.4.0->org.apache.curator:curator-test:5.1.0->com.google.guava:guava:27.0.1-jre

It looks like connect-runtime version 3.6.0 resolves the CVE. Possible to upgrade to this version?
@mguenther mguenther self-assigned this Nov 18, 2023
@mguenther mguenther added this to the 3.5.1 milestone Nov 18, 2023
mguenther added a commit that referenced this issue Nov 18, 2023
@mguenther
Issue #99: Increase curator-test to 5.5.0 (CVE-2020-8908)
23711f1 
Have a look at https://nvd.nist.gov/vuln/detail/cve-2020-8908 for a detailed analysis of the CVE, as well as this short analysis https://devhub.checkmarx.com/cve-details/CVE-2020-8908/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea on how you might be affected. CURATOR-642 is the issue at Apache Curator project. They claim their new release fixes CVE-2020-8908, but Guava is supposedly still susceptible for the same exploit.
mguenther added a commit that referenced this issue Nov 18, 2023
@mguenther
Issue #99: Increase curator-test to 5.5.0 (CVE-2020-8908)
d57fad8 
Have a look at https://nvd.nist.gov/vuln/detail/cve-2020-8908 for a detailed analysis of the CVE, as well as this short analysis https://devhub.checkmarx.com/cve-details/CVE-2020-8908/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea on how you might be affected. CURATOR-642 is the issue at Apache Curator project. They claim their new release fixes CVE-2020-8908, but Guava is supposedly still susceptible for the same exploit.
@mguenther
Copy link
Owner

Thanks for your kind words, and, of course, for bringing this issue to my attention.

Guava in version 27.0.1-jre is introduced with curator-test in 5.1.0, not connect-runtime. They've addressed the issue with CURATOR-642. Unfortunately, mvnrepository.com still lists CVE-2020-8908 as a vulnerability of the latest version 5.5.0 (still, coming from Guava).

I'll release a patch version 3.5.1 which increases the version curator-test anyways, the bundled Guava version seems to fix other issues as well. That's the best I can do now.

In the meantime, please also have a look at this short analysis on CVE-2020-8908. The criticality of it is quite low, but please, do make sure that the attack vector is nothing that troubles your sleep ;).

@mguenther
Copy link
Owner

Release 3.5.1 is on its way. I'll file a release note once it's available at Maven central.

@mguenther mguenther added the dependencies Pull requests that update a dependency file label Nov 18, 2023
@jburgess
Copy link
Author

Thanks so much for the quick fix and the correction of the affected package. I concur the attack vector is non-existent for my use-case; just trying to clean up any build warnings where I can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mguenther mguenther

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
3.5.1
Development

No branches or pull requests
2 participants
@mguenther @jburgess