Paul Shuttlewood created ZOOKEEPER-4998:
-------------------------------------------
Summary: CVE vulnerabilities in zookeeper 3.9.4
Key: ZOOKEEPER-4998
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4998
Project: ZooKeeper
Issue Type: Bug
Affects Versions: 3.9.4
Reporter: Paul Shuttlewood
We are installing Zookeeper 3.9.4 on a production server which regularly
undergoes OWASP dependency-check scanning.
This scan is detecting 6 vulnerabilities (2x high, 4x medium) with Zookeeper
libraries:
CVE-2025-11226 - HIGH - apache-zookeeper-3.9.4-bin\\lib\\logback-core-1.3.15.jar
CVE-2025-55163 - HIGH -
apache-zookeeper-3.9.4-bin\\lib\\netty-transport-4.1.119.Final.jar
CVE-2023-35116 - MEDIUM -
apache-zookeeper-3.9.4-bin\\lib\\jackson-databind-2.15.2.jar
CVE-2023-50572 - MEDIUM - apache-zookeeper-3.9.4-bin\\lib\\jline-2.14.6.jar
CVE-2024-6763 - MEDIUM -
apache-zookeeper-3.9.4-bin\\lib\\jetty-http-9.4.57.v20241219.jar
CVE-2025-58057 - MEDIUM -
apache-zookeeper-3.9.4-bin\\lib\\netty-transport-4.1.119.Final.jar
Can you provide any details of when you plan to release a new version that will
fix some/all of these CVE issues?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
