The update of `commons-validator` is solely included by 4.2.0. I can backport the update to 4.0 and 4.1, and you could forces a dependency update in your environment
V, Brundha <[email protected]> 於 2025年12月4日週四 下午6:17寫道: > Hi Chia-Ping, > > What about kafka_2.13? With 4.1.1 version, I still see that > commons-beanutils is in 1.9.0 version; link here > https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13/dependencies > > > > In my code I am using spring-boot-starter-kafka-test:jar:4.0.0 which is > using this kafka_2.13. Below is my dependency tree: > +- > org.springframework.boot:spring-boot-starter-kafka-test:jar:4.0.0:compile > > [INFO] | \- org.springframework.kafka:spring-kafka-test:jar:4.0.0:compile > > [INFO] | . > > . > > . > > [INFO] | +- > org.apache.kafka:kafka-test-common-runtime:jar:4.1.1:compile > > [INFO] | | +- org.apache.kafka:kafka_2.13:jar:4.1.1:compile > > [INFO] | | | +- org.scala-lang:scala-library:jar:2.13.16:compile > > [INFO] | | | +- org.apache.kafka:kafka-tools-api:jar:4.1.1:runtime > > [INFO] | | | +- > net.sourceforge.argparse4j:argparse4j:jar:0.7.0:runtime > > [INFO] | | | +- commons-validator:commons-validator:jar:1.9.0:runtime > > [INFO] | | | | +- > commons-beanutils:commons-beanutils:jar:1.9.4:runtime > > [INFO] | | | | +- commons-digester:commons-digester:jar:2.1:runtime > > [INFO] | | | | \- > commons-collections:commons-collections:jar:3.2.2:runtime > > > > Thanks. > > Brundha S V > > > > *From:* Chia-Ping Tsai <[email protected]> > *Sent:* 04 December 2025 15:12 > *To:* [email protected] > *Cc:* V, Brundha <[email protected]> > *Subject:* Re: Latest version of kafka-clients has CVE on maven repo > > > > hi > > > > kafka-clients:4.1.1 has updated the commons-beanutils dependency to 1.11.0 > (see > https://github.com/apache/kafka/commit/ddc30477a99c06d1c91f53bbf1230d32fadb98d5), > and this change should already resolve the related CVE > > > > Best, > > Chia-Ping > > > > V, Brundha via dev <[email protected]> 於 2025年12月4日週四 下午5:10寫道: > > Hi, > > Latest version of kafka-clients:4.1.1 has CVE related to > ‘commons-beanutils’. I see that parent package ‘commons-validator’ is > already upgraded in code but I don’t see any releases having this upgraded > version on maven repository. Kindly make the version available as soon as > possible on maven as this CVE is under HIGH category. > > > > Thanks. > > Brundha S V > > > >
