happyhapi opened a new issue, #1240:
URL: https://github.com/apache/rocketmq-clients/issues/1240

   ### Before Creating the Bug Report
   
   - [x] I found a bug, not just asking a question, which should be created in 
[GitHub Discussions](https://github.com/apache/rocketmq-clients/discussions).
   
   - [x] I have searched the [GitHub 
Issues](https://github.com/apache/rocketmq-clients/issues) and [GitHub 
Discussions](https://github.com/apache/rocketmq-clients/discussions)  of this 
repository and believe that this is not a duplicate.
   
   - [x] I have confirmed that this bug belongs to the current repository, not 
other repositories of RocketMQ.
   
   
   ### Programming Language of the Client
   
   Java
   
   ### Runtime Platform Environment
   
   Not involve
   
   ### RocketMQ Version of the Client/Server
   
   Client 5.2.0
   Server 5.3.1
   
   ### Run or Compiler Version
   
   Compiler:Oracle Open jdk1.8.0_171
   
   ### Describe the Bug
   
   During our use of rocketmq-client-java-5.2.0, the following component 
vulnerabilities were discovered:
   (1) CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4
   CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4
   (2) CVE-2025-48924 org.apache.commons:commons-lang3:3.4
   (3) CVE-2023-2976 com.google.guava:guava:32.0.0-jre
   We hope that the above-mentioned component vulnerabilities can be fixed as 
soon as possible and that a new SDK version can be released. Thank you very 
much for solving our problems.
   
   在对rocketmq-client-java进行安全扫描时发现如下组件版本较低,存在相应漏洞:
   (1) CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4
   CVE-2024-7254 com.google.protobuf:protobuf-java-util:3.24.4
   (2) CVE-2025-48924 org.apache.commons:commons-lang3:3.4
   (3) CVE-2023-2976 com.google.guava:guava:32.0.0-jre
   希望能够尽快升级修复并发版,非常感谢!
   
   ### Steps to Reproduce
   
   The relevant vulnerable dependencies have been packaged into the 
rocketmq-client-java jar package, and the specific location is in 
./META-INF/maven
   
   存在漏洞的jar包依赖已被打包进 rocketmq-client-java的jar包当中,具体位置在./META-INF/maven目录下
   
   ### What Did You Expect to See?
   
   Jar packages should not contain known CVEs.
   
   ### What Did You See Instead?
   
   Current jar of rocketmq-client-java are affected by CVE-2024-7254 , 
CVE-2025-48924 and CVE-2023-2976.
   
   ### Additional Context
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to