Hi JIAHAO, Kafka does not use Guava.
Some of the packages Kafka Connect depend on use Guava. Perhaps the right thing to do is track down those projects and see how they are using Guava (if they are vulnerable to the CVE). best, Colin On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote: > Hello, > when downloading Kafka 2.1.1, the kafka_2.12-2.1.1.tgz still contains > guava-20.0.jar. This guava version currently has a vulnerability > described here: https://github.com/google/guava/wiki/CVE-2018-10237 > The version 24.1.1 and 25.0+ are fixed version. > Are there any plans to upgrade this dependency? > > Regards > Jiahao Zhou >
