Thanks Chia-Ping, that would be great. Thanks. Brundha S V ________________________________ From: Chia-Ping Tsai <[email protected]> Sent: Thursday, December 4, 2025 5:59:17 PM To: V, Brundha <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: Latest version of kafka-clients has CVE on maven repo
The update of `commons-validator` is solely included by 4.2.0. I can backport the update to 4.0 and 4.1, and you could forces a dependency update in your environment V, Brundha <[email protected]<mailto:[email protected]>> 於 2025年12月4日週四 下午6:17寫道: Hi Chia-Ping, What about kafka_2.13? With 4.1.1 version, I still see that commons-beanutils is in 1.9.0 version; link here https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13/dependencies<https://urldefense.com/v3/__https://central.sonatype.com/artifact/org.apache.kafka/kafka_2.13/dependencies__;!!NpxR!nM1eH5d21u8nfEGThaOdhXj5XgjwP2_Xs4K1WIvi54pEUKtUOnKdUX7yIdZ7FmTozl1EEWNt_-fdLFhcEP7eT-M$> In my code I am using spring-boot-starter-kafka-test:jar:4.0.0 which is using this kafka_2.13. Below is my dependency tree: +- org.springframework.boot:spring-boot-starter-kafka-test:jar:4.0.0:compile [INFO] | \- org.springframework.kafka:spring-kafka-test:jar:4.0.0:compile [INFO] | . . . [INFO] | +- org.apache.kafka:kafka-test-common-runtime:jar:4.1.1:compile [INFO] | | +- org.apache.kafka:kafka_2.13:jar:4.1.1:compile [INFO] | | | +- org.scala-lang:scala-library:jar:2.13.16:compile [INFO] | | | +- org.apache.kafka:kafka-tools-api:jar:4.1.1:runtime [INFO] | | | +- net.sourceforge.argparse4j:argparse4j:jar:0.7.0:runtime [INFO] | | | +- commons-validator:commons-validator:jar:1.9.0:runtime [INFO] | | | | +- commons-beanutils:commons-beanutils:jar:1.9.4:runtime [INFO] | | | | +- commons-digester:commons-digester:jar:2.1:runtime [INFO] | | | | \- commons-collections:commons-collections:jar:3.2.2:runtime Thanks. Brundha S V From: Chia-Ping Tsai <[email protected]<mailto:[email protected]>> Sent: 04 December 2025 15:12 To: [email protected]<mailto:[email protected]> Cc: V, Brundha <[email protected]<mailto:[email protected]>> Subject: Re: Latest version of kafka-clients has CVE on maven repo hi kafka-clients:4.1.1 has updated the commons-beanutils dependency to 1.11.0 (see https://github.com/apache/kafka/commit/ddc30477a99c06d1c91f53bbf1230d32fadb98d5), and this change should already resolve the related CVE Best, Chia-Ping V, Brundha via dev <[email protected]<mailto:[email protected]>> 於 2025年12月4日週四 下午5:10寫道: Hi, Latest version of kafka-clients:4.1.1 has CVE related to ‘commons-beanutils’. I see that parent package ‘commons-validator’ is already upgraded in code but I don’t see any releases having this upgraded version on maven repository. Kindly make the version available as soon as possible on maven as this CVE is under HIGH category. Thanks. Brundha S V
