abhagraw commented on PR #13956: URL: https://github.com/apache/druid/pull/13956#issuecomment-1477527475
Suppressing following CVEs - [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688) - This does not affect us as we do not use XML ``` A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. ``` [CVE-2020-11612](https://nvd.nist.gov/vuln/detail/CVE-2020-11612) - To suppress this need to update to netty 4 (A lot of other dependencies waiting on this) ``` The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. ``` [CVE-2021-28170](https://nvd.nist.gov/vuln/detail/CVE-2021-28170) - Updated to jakarta.el 3.0.4 ``` In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. ``` [CVE-2023-1370](https://ubuntu.com/security/CVE-2023-1370) - Druid only parses json with expected formats. ``` Json-smart is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{’ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
