Purushottam Sinha created FLINK-39693:
-----------------------------------------
Summary: Bump jackson, log4j, assertj to address CVEs
Key: FLINK-39693
URL: https://issues.apache.org/jira/browse/FLINK-39693
Project: Flink
Issue Type: Technical Debt
Components: Connectors / Kafka
Reporter: Purushottam Sinha
Problem
Three dependency versions declared in the root pom.xml have known CVEs.
Jackson ships in the connector jar (user-visible); log4j and assertj are
test-scope only.
Evidence
- pom.xml:62 — jackson-bom.version 2.18.2: GHSA-72hv-8253-57qq (MEDIUM, async
parser DoS), reaches users via flink-connector-kafka and shaded
flink-sql-connector-kafka at compile scope.
- pom.xml:75 — log4j.version 2.25.0: CVE-2025-68161, CVE-2026-34477,
CVE-2026-34478, CVE-2026-34480 (MEDIUM). Test scope only.
- pom.xml:84 — assertj.version 3.27.3: CVE-2026-24400 (HIGH, XXE). Test scope
only.
Proposed fix
- Bump jackson-bom.version 2.18.2 → 2.18.6.
- Bump log4j.version 2.25.0 → 2.25.4.
- Bump assertj.version 3.27.3 → 3.27.7.
Acceptance
- trivy fs on the repo no longer flags the five CVEs above.
- mvn verify passes on the connector and e2e modules.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
