suddendust opened a new issue, #18593:
URL: https://github.com/apache/pinot/issues/18593
Hi, I ran a Prisma on the latest Pinot release and see the following vulns
(these are `critical` and `high`, there are some `medium` and `low` as well not
mentioned here):
```
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE
| VERSION | STATUS |
PUBLISHED | DISCOVERED | DESCRIPTION
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-2332 | critical | 9.10 | org.eclipse.jetty_jetty-io
| 9.4.58.v20250814 | fixed in 12.1.7, 12.0.33, 11.0.28,... | 42
days | < 1 hour | In Eclipse Jetty, the HTTP/1.1 parser is
|
| | | |
| | 25 days ago |
| | vulnerable to request smuggling when chunk
|
| | | |
| | |
| | extensions are used, similar to the \"funky
|
| | | |
| | |
| | chunks\" techniques ou...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-33871 | high | 8.70 | io.netty_netty-codec-http2
| 4.1.122.Final | fixed in 4.2.11.Final, 4.1.132.Final | 60
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 61 days ago |
| | application framework. In versions prior to
|
| | | |
| | |
| | 4.1.132.Final and 4.2.10.Final, a remote user can
|
| | | |
| | |
| | trigger a...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2025-59419 | high | 7.70 | io.netty_netty-codec-smtp
| 4.1.122.Final | fixed in 4.2.7.Final, 4.1.128.Final | > 7
months | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | > 7 months ago |
| | application framework. In versions prior to
|
| | | |
| | |
| | 4.1.128.Final and 4.2.7.Final, the SMTP codec in
|
| | | |
| | |
| | Netty cont...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42587 | high | 7.50 | io.netty_netty-codec-http
| 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 19 days ago |
| | application framework. Prior to 4.2.13.Final and
|
| | | |
| | |
| | 4.1.133.Final, HttpContentDecompressor accepts a
|
| | | |
| | |
| | maxAl...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42587 | high | 7.50 | io.netty_netty-codec-http2
| 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 19 days ago |
| | application framework. Prior to 4.2.13.Final and
|
| | | |
| | |
| | 4.1.133.Final, HttpContentDecompressor accepts a
|
| | | |
| | |
| | maxAl...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42583 | high | 7.50 | io.netty_netty-codec
| 4.1.122.Final | fixed in 4.1.133.Final | 13
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 19 days ago |
| | application framework. Prior to 4.2.13.Final and
|
| | | |
| | |
| | 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf
|
| | | |
| | |
| | of ...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42579 | high | 7.50 | io.netty_netty-codec-dns
| 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 19 days ago |
| | application framework. Prior to 4.2.13.Final and
|
| | | |
| | |
| | 4.1.133.Final, Netty\'s DNS codec does not enforce
|
| | | |
| | |
| | RFC...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34481 | high | 7.50 |
org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in
2.25.4 | 46 days | < 1 hour | Apache Log4j\'s
JsonTemplateLayout |
| | | |
| | 32 days ago |
| |
https://logging.apache.org/log4j/2.x/manual/json-template-layout.html |
| | | |
| | |
| | , in versions up to and including 2.25.3, pr...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34480 | high | 7.50 |
org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in
2.25.4 | 46 days | < 1 hour | Apache Log4j Core\'s
XmlLayout |
| | | |
| | 46 days ago |
| |
https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout |
| | | |
| | |
| | , in versions up to and including 2.25.3, fails to ...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34479 | high | 7.50 |
org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in
2.25.4 | 46 days | < 1 hour | The Log4j1XmlLayout
from the Apache Log4j |
| | | |
| | 20 days ago |
| | 1-to-Log4j 2 bridge fails to escape characters
|
| | | |
| | |
| | forbidden by the XML 1.0 standard, producing
|
| | | |
| | |
| | malformed XML ou...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34478 | high | 7.50 |
org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in
2.25.4 | 46 days | < 1 hour | Apache Log4j Core\'s
Rfc5424Layout |
| | | |
| | 43 days ago |
| |
https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout |
| | | |
| | |
| | , in versions 2.21.0 through 2.25.3, is vul...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-33870 | high | 7.50 | io.netty_netty-codec-http
| 4.1.122.Final | fixed in 4.2.10.Final, 4.1.132.Final | 60
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 61 days ago |
| | application framework. In versions prior to
|
| | | |
| | |
| | 4.1.132.Final and 4.2.10.Final, Netty incorrectly
|
| | | |
| | |
| | parses qu...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2025-55163 | high | 7.50 | io.netty_netty-codec-http2
| 4.1.122.Final | fixed in 4.2.4.Final, 4.1.124.Final | > 9
months | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | > 9 months ago |
| | application framework. Prior to versions
|
| | | |
| | |
| | 4.1.124.Final and 4.2.4.Final, Netty is vulnerable
|
| | | |
| | |
| | to MadeYouR...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-45300 | high | 7.40 |
org.asynchttpclient_async-http-client | 3.0.7 | fixed in
3.0.10, 2.15.0 | n/a | < 1 hour |
|
| | | |
| | 8 days ago |
| |
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-2332 | high | 7.40 | org.eclipse.jetty_jetty-http
| 9.4.58.v20250814 | fixed in 12.1.7, 12.0.33 | 42
days | < 1 hour | In Eclipse Jetty, the HTTP/1.1 parser is
|
| | | |
| | 42 days ago |
| | vulnerable to request smuggling when chunk
|
| | | |
| | |
| | extensions are used, similar to the \"funky
|
| | | |
| | |
| | chunks\" techniques ou...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42584 | high | 7.30 | io.netty_netty-codec-http
| 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13
days | < 1 hour | Netty is an asynchronous, event-driven network
|
| | | |
| | 19 days ago |
| | application framework. Prior to 4.2.13.Final and
|
| | | |
| | |
| | 4.1.133.Final, HttpClientCodec pairs each inbound
|
| | | |
| | |
| | resp...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-40542 | high | 7.30 |
org.apache.httpcomponents.client5_httpclient5 | 5.6 | fixed in
5.6.1 | 34 days | < 1 hour | Missing critical step
in authentication in Apache |
| | | |
| | 27 days ago |
| | HttpClient 5.6 allows an attacker to cause the
|
| | | |
| | |
| | client to accept SCRAM-SHA-256 authentication
|
| | | |
| | |
| | without...
|
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
```
Is there a plan to fix these? Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
