[
https://issues.apache.org/jira/browse/FLINK-39693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rui Fan reassigned FLINK-39693:
-------------------------------
Assignee: Purushottam Sinha
> Bump jackson, log4j, assertj to address CVEs
> --------------------------------------------
>
> Key: FLINK-39693
> URL: https://issues.apache.org/jira/browse/FLINK-39693
> Project: Flink
> Issue Type: Technical Debt
> Components: Connectors / Kafka
> Reporter: Purushottam Sinha
> Assignee: Purushottam Sinha
> Priority: Minor
> Labels: pull-request-available
>
> Problem
> Three dependency versions declared in the root pom.xml have known CVEs.
> Jackson ships in the connector jar (user-visible); log4j and assertj are
> test-scope only.
> Evidence
> - pom.xml:62 — jackson-bom.version 2.18.2: GHSA-72hv-8253-57qq (MEDIUM,
> async parser DoS), reaches users via flink-connector-kafka and shaded
> flink-sql-connector-kafka at compile scope.
> - pom.xml:75 — log4j.version 2.25.0: CVE-2025-68161, CVE-2026-34477,
> CVE-2026-34478, CVE-2026-34480 (MEDIUM). Test scope only.
> - pom.xml:84 — assertj.version 3.27.3: CVE-2026-24400 (HIGH, XXE). Test
> scope only.
> Proposed fix
> - Bump jackson-bom.version 2.18.2 → 2.18.6.
> - Bump log4j.version 2.25.0 → 2.25.4.
> - Bump assertj.version 3.27.3 → 3.27.7.
> Acceptance
> - trivy fs on the repo no longer flags the five CVEs above.
> - mvn verify passes on the connector and e2e modules.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
