Prasanth Pallamreddy created AVRO-2217:
------------------------------------------
Summary: Vulnerabilities in avro bundled packages
Key: AVRO-2217
URL: https://issues.apache.org/jira/browse/AVRO-2217
Project: Avro
Issue Type: Bug
Components: java
Affects Versions: 1.8.2
Reporter: Prasanth Pallamreddy
The following vulnerabilities exist in the packages bundled by Avro. These
packages need to be upgraded to the latest versions. Although a few of these
vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt
to address the backwards compatibility issue in AVRO-1605 there does not appear
to be a resolution. If there is no resolution on these issues, we may be forced
to fork based on [this PR|https://github.com/apache/avro/pull/87].
org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these
critical / high vulns:
[https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
[https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
[https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
[https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
[https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
