Hi Chia-Ping,
What about kafka_2.13? With 4.1.1 version, I still see that commons-beanutils
is in 1.9.0 version; link here
https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13/dependencies
In my code I am using spring-boot-starter-kafka-test:jar:4.0.0 which is using
this kafka_2.13. Below is my dependency tree:
+- org.springframework.boot:spring-boot-starter-kafka-test:jar:4.0.0:compile
[INFO] | \- org.springframework.kafka:spring-kafka-test:jar:4.0.0:compile
[INFO] | .
.
.
[INFO] | +- org.apache.kafka:kafka-test-common-runtime:jar:4.1.1:compile
[INFO] | | +- org.apache.kafka:kafka_2.13:jar:4.1.1:compile
[INFO] | | | +- org.scala-lang:scala-library:jar:2.13.16:compile
[INFO] | | | +- org.apache.kafka:kafka-tools-api:jar:4.1.1:runtime
[INFO] | | | +- net.sourceforge.argparse4j:argparse4j:jar:0.7.0:runtime
[INFO] | | | +- commons-validator:commons-validator:jar:1.9.0:runtime
[INFO] | | | | +- commons-beanutils:commons-beanutils:jar:1.9.4:runtime
[INFO] | | | | +- commons-digester:commons-digester:jar:2.1:runtime
[INFO] | | | | \-
commons-collections:commons-collections:jar:3.2.2:runtime
Thanks.
Brundha S V
From: Chia-Ping Tsai <[email protected]>
Sent: 04 December 2025 15:12
To: [email protected]
Cc: V, Brundha <[email protected]>
Subject: Re: Latest version of kafka-clients has CVE on maven repo
hi
kafka-clients:4.1.1 has updated the commons-beanutils dependency to 1.11.0 (see
https://github.com/apache/kafka/commit/ddc30477a99c06d1c91f53bbf1230d32fadb98d5),
and this change should already resolve the related CVE
Best,
Chia-Ping
V, Brundha via dev <[email protected]<mailto:[email protected]>> 於
2025年12月4日週四 下午5:10寫道:
Hi,
Latest version of kafka-clients:4.1.1 has CVE related to ‘commons-beanutils’. I
see that parent package ‘commons-validator’ is already upgraded in code but I
don’t see any releases having this upgraded version on maven repository. Kindly
make the version available as soon as possible on maven as this CVE is under
HIGH category.
Thanks.
Brundha S V
