Fixing vulnerabilities:
GHSA-445c-vh5m-36rj
A flaw was found in Apache Log4j Core. This vulnerability allows for log injection through the use of Carriage Return Line Feed (CRLF) sequences. This occurs because security-related configuration attributes were silently renamed, impacting users who directly configure Rfc5424Layout with stream-based syslog services. An attacker could exploit this to inject malicious data into log files, potentially obscuring critical security events or manipulating system records.
CVE-2025-67030
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code
GHSA-wf66-mphr-4c4r
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log
What's Changed
- Fix plexus-utils and log4j-core cve by @srishti-saraswat in #461
- update kafka.version to fix vulnerability by @pszkamruk-splunk in #464
- chore: bump kafka version by @pszkamruk-splunk in #465
Full Changelog: v2.2.5...v2.2.6
