[jira] [Commented] (PHOENIX-7393) Exclude woodstox-core to fix CVE-2022-40152

Grzegorz Kokosinski (Jira) Sun, 25 Aug 2024 06:09:15 -0700


    [ 
https://issues.apache.org/jira/browse/PHOENIX-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17876506#comment-17876506
 ]


Grzegorz Kokosinski commented on PHOENIX-7393:
----------------------------------------------

FYI [~vjasani] 

> Exclude woodstox-core to fix CVE-2022-40152
> -------------------------------------------
>
>                 Key: PHOENIX-7393
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7393
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Grzegorz Kokosinski
>            Priority: Major
>
> Exclude woodstox-core to fix [CVE-2022-40152 
> (|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] 
> [https://nvd.nist.gov/vuln/detail/CVE-2022-40152]).
> This is a transitive dependency from hadoop, it is most likely not needed for 
> phoenix. Notice that any product that is using {{phoenix-client-embedded}} to 
> use Phoenix internally, is flagged with this CVEs
> This is used in Trino phoenix connector. Then it makes entire Trino flagged 
> with this CVE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (PHOENIX-7393) Exclude woodstox-core to fix CVE-2022-40152

Reply via email to