[
https://issues.apache.org/jira/browse/FLINK-39693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rui Fan resolved FLINK-39693.
-----------------------------
Fix Version/s: kafka-5.1.0
Resolution: Fixed
merged to main(5.1.0) via: 119cf495733a6ee0f38df63eb6f312593b222b82 and
ab300d2680f2dc28885178a68fffbe1e014472d5
> Bump jackson, log4j, assertj to address CVEs
> --------------------------------------------
>
> Key: FLINK-39693
> URL: https://issues.apache.org/jira/browse/FLINK-39693
> Project: Flink
> Issue Type: Technical Debt
> Components: Connectors / Kafka
> Reporter: Purushottam Sinha
> Assignee: Purushottam Sinha
> Priority: Minor
> Labels: pull-request-available
> Fix For: kafka-5.1.0
>
>
> Problem
> Three dependency versions declared in the root pom.xml have known CVEs.
> Jackson ships in the connector jar (user-visible); log4j and assertj are
> test-scope only.
> Evidence
> - pom.xml:62 — jackson-bom.version 2.18.2: GHSA-72hv-8253-57qq (MEDIUM,
> async parser DoS), reaches users via flink-connector-kafka and shaded
> flink-sql-connector-kafka at compile scope.
> - pom.xml:75 — log4j.version 2.25.0: CVE-2025-68161, CVE-2026-34477,
> CVE-2026-34478, CVE-2026-34480 (MEDIUM). Test scope only.
> - pom.xml:84 — assertj.version 3.27.3: CVE-2026-24400 (HIGH, XXE). Test
> scope only.
> Proposed fix
> - Bump jackson-bom.version 2.18.2 → 2.18.6.
> - Bump log4j.version 2.25.0 → 2.25.4.
> - Bump assertj.version 3.27.3 → 3.27.7.
> Acceptance
> - trivy fs on the repo no longer flags the five CVEs above.
> - mvn verify passes on the connector and e2e modules.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
