nikhil-ctds opened a new issue, #21788: URL: https://github.com/apache/pulsar/issues/21788
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Version For pulsar version: `3.1.2` on branch: `branch-3.1` facing moderate vulnerability [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), [CVE-2023-4785](https://nvd.nist.gov/vuln/detail/CVE-2023-4785#range-9583768), [CVE-2023-33953](https://nvd.nist.gov/vuln/detail/CVE-2023-33953), related to packages: - io.grpc:grpc-core - io.grpc:grpc-protobuf Below is the versions available in pulsar - - <grpc.version>1.55.3</grpc.version> Maven Dependency - pulsar - org.apache.pulsar 3.1.2 ### Minimal reproduce step Run Pulsar CI workflow on pulsar branch - `branch-3.1` ### What did you expect to see? Expected to pass the `OWASP dependency check` under `Pulsar CI` workflow. ### What did you see instead? Vulnerability ``` Error: Failed to execute goal org.owasp:dependency-check-maven:8.2.1:aggregate (default) on project pulsar: Error: Error: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': Error: Error: grpc-core-1.37.0.jar: CVE-2023-44487(7.5), CVE-2023-4785(7.5), CVE-2023-33953(7.5) Error: grpc-core-1.55.3.jar: CVE-2023-44487(7.5) Error: grpc-protobuf-1.37.0.jar: CVE-2023-44487(7.5), CVE-2023-4785(7.5), CVE-2023-33953(7.5) Error: grpc-protobuf-1.55.3.jar: CVE-2023-44487(7.5) ``` ### Anything else? _No response_ ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
