New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-8908 in Transitive Dependency #99
Comments
Have a look at https://nvd.nist.gov/vuln/detail/cve-2020-8908 for a detailed analysis of the CVE, as well as this short analysis https://devhub.checkmarx.com/cve-details/CVE-2020-8908/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea on how you might be affected. CURATOR-642 is the issue at Apache Curator project. They claim their new release fixes CVE-2020-8908, but Guava is supposedly still susceptible for the same exploit.
Have a look at https://nvd.nist.gov/vuln/detail/cve-2020-8908 for a detailed analysis of the CVE, as well as this short analysis https://devhub.checkmarx.com/cve-details/CVE-2020-8908/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea on how you might be affected. CURATOR-642 is the issue at Apache Curator project. They claim their new release fixes CVE-2020-8908, but Guava is supposedly still susceptible for the same exploit.
Thanks for your kind words, and, of course, for bringing this issue to my attention. Guava in version 27.0.1-jre is introduced with I'll release a patch version 3.5.1 which increases the version In the meantime, please also have a look at this short analysis on CVE-2020-8908. The criticality of it is quite low, but please, do make sure that the attack vector is nothing that troubles your sleep ;). |
Release 3.5.1 is on its way. I'll file a release note once it's available at Maven central. |
Thanks so much for the quick fix and the correction of the affected package. I concur the attack vector is non-existent for my use-case; just trying to clean up any build warnings where I can. |
First, thaks for a fantastic method to test Kafka in unit tests. Very helpful!
It looks like this CVE is associated with the Guava transient dependency.
org.apache.kafka:connect-runtime:3.4.0
->org.apache.curator:curator-test:5.1.0
->com.google.guava:guava:27.0.1-jre
It looks like
connect-runtime
version3.6.0
resolves the CVE. Possible to upgrade to this version?The text was updated successfully, but these errors were encountered: