klwilson227 opened a new issue #8061: URL: https://github.com/apache/pulsar/issues/8061
**Describe the bug** Issue path: /pulsar/lib/presto/lib/async-http-client-1.9.40.jar _nl_ Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a "?" character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL. Reference Info: https://nvd.nist.gov/vuln/detail/CVE-2017-14063 Severity Rating: 7.5 High **To Reproduce** STAT CVE scan and report of pulsar-core docker image. **Expected behavior** Expect no HIGH CVE's to be reported. **Additional context** This appears to be a issue in the pulsar-sql/pulsar-presto-distribution/pom.xml which points to the previous com.ning version of async-http-client. Upgrading the pom.xml to point to org.asynchttpclient:async-http-client:2.12.1 same as the high level pom may resolve the issue. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
