tejaswini-imply opened a new pull request, #14440: URL: https://github.com/apache/druid/pull/14440
Currently Druid is using Avro 1.9.2 version and one of the transitive dependencies `velocity-engine-core-2.2.jar` in particular is bringing in CVE-2020-13936. Despite this CVE (An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.) being false positive as we don't allow untrusted users to upload velocity templates, they're causing red security scans on Druid distribution. Hence updating the version to latest version 1.11.1 which uses `velocity-engine-core-2.3.jar`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
