David L. Day created AVRO-3111:
----------------------------------
Summary: CVE-2019-17195
Key: AVRO-3111
URL: https://issues.apache.org/jira/browse/AVRO-3111
Project: Apache Avro
Issue Type: Bug
Components: java
Affects Versions: 1.10.2, 1.10.1
Environment: Docker image built on library/buildpack-deps:buster-curl
([buildpack-deps (docker.com)|https://hub.docker.com/_/buildpack-deps])
Reporter: David L. Day
When installing avro-tools in a container on a debian image, my company's image
scanner reports CVE-2019-17195:
_Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions
while parsing a JWT, which could result in an application crash (potential
information disclosure) or a potential authentication bypass._
I see other Apache projects have had this CVE reported and have been fixed, but
did not see where this was reported for Apache Avro Tools specifically.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
