[jira] [Assigned] (RANGER-5023) Upgrade commons-io dependency to fix CVE-2024-47554

Basapuram Kumar (Jira) Thu, 09 Jan 2025 19:10:06 -0800


     [ 
https://issues.apache.org/jira/browse/RANGER-5023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Basapuram Kumar reassigned RANGER-5023:
---------------------------------------

    Assignee: Basapuram Kumar

> Upgrade  commons-io dependency to fix  CVE-2024-47554
> -----------------------------------------------------
>
>                 Key: RANGER-5023
>                 URL: https://issues.apache.org/jira/browse/RANGER-5023
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>    Affects Versions: 2.4.0, 2.5.0
>            Reporter: Basapuram Kumar
>            Assignee: Basapuram Kumar
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> *commons-io* can be upgraded from *2.11.0* to *2.16.0* to avoid 
> {*}CVE-2024-47554{*}.
>  
> CVE Reference - 
> [CVE-2024-47554|https://nvd.nist.gov/vuln/detail/CVE-2024-47554]
> *+CVE-2024-47554 Description:+*
> Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The 
> org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU 
> resources when processing maliciously crafted input. This issue affects 
> Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade 
> to version 2.14.0 or later, which fixes the issue.
> Suggesting *2.16.1* as hadoop also runs on same version. Please let us know 
> if it will be okay to move to latest version of *commons-io* to *2.18.0*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-5023) Upgrade commons-io dependency to fix CVE-2024-47554

Reply via email to