neeleshkorade opened a new issue #12260: URL: https://github.com/apache/druid/issues/12260
Hi, This is following a [brief chat](https://the-asf.slack.com/archives/CJ8D1JTB8/p1643783372493569) with @cryptoe in the Apache #Druid slack channel. Logging this issue based on advice from there. To summarize here, we recently upgraded to Druid `0.22.1` in the hope that some of the vulnerabilities reported on the earlier version `0.20.1` were addressed in it. However, the internal security team has reported many of the same issues on the newer version as well. Following are two of the vulnerabilities as an example- | Components + Version | CVSS / CWE | Fix Version | | ----------- | ----------- |------|------|------------| | opt/apache-druid-0.22.1/lib/hibernate-validator-5.2.5.Final.jar | [CVE-2017-7536](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7536) / [CWE-470](https://cwe.mitre.org/data/definitions/470.html)<br> [CVE-2019-10219](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10219) / [CWE-79](https://cwe.mitre.org/data/definitions/79.html)<br>[CVE-2020-10693](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10693) / [CWE-20](https://cwe.mitre.org/data/definitions/20.html) | 6.0.0.Alpha1 | | opt/apache-druid-0.22.1/lib/json-smart-2.3.jar | [CVE-2021-27568](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27568) / [CWE-754](https://cwe.mitre.org/data/definitions/754.html)<br>[CVE-2021-31684](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31684) / [CWE-787](https://cwe.mitre.org/data/definitions/787.html) | 2.4.4| We are looking to understand the Druid project's plan for fixing these and any guidance on how to best mitigate these for now. Would appreciate help on this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
