Hi Sahil, Regarding CVE-2023-31582 it affects jose4j versions prior to 0.9.3 (not included). Apache Kafka has been using jose4j version 0.9.3 for a while now, it was introduced in this commit[1] on May 13. Since Kafka 3.4.1 all versions have been shipped with jose4j 0.9.3. Please note that NVE's CVE page[2] states that this affects "Up to (excluding): 0.9.3". Also, jose4j release notes[3] specify that this specific vulnerability was fixed on 0.9.3.
How did you detect that Kafka was affected by CVE-2023-31582? Best, [1]: https://github.com/apache/kafka/commit/fa7818dff5a28048401654a7497e56dbc988b755 [2]: https://nvd.nist.gov/vuln/detail/CVE-2023-31582#range-9713327 [3]: https://bitbucket.org/b_c/jose4j/wiki/Release%20Notes On Thu, Dec 7, 2023 at 10:00 AM Sahil Sharma D <sahil.d.sha...@ericsson.com.invalid> wrote: > Hi team, > > There are another vulnerability we detected, can you please share Kafka is > planning to fix this vulnerability: > CVE-2023-31582 > GHSA-jgvc-jfgh-rjvv > > Regards, > Sahil > From: Sahil Sharma D > Sent: 17 October 2023 02:45 PM > To: 'users@kafka.apache.org' <users@kafka.apache.org> > Subject: RE: Fix for CVEs > > Hi Team, > > There is another vulnerability we detected CVE-2023-4586, can you please > share Kafka is planning to fix this vulnerability and CVEs mentioned in > mail trail > > Regards, > Sahil > > From: Sahil Sharma D > Sent: 14 September 2023 05:51 PM > To: 'users@kafka.apache.org' <users@kafka.apache.org<mailto: > users@kafka.apache.org>> > Subject: Fix for CVEs > > Hi Team, > > As suggested earlier I tried to reach "secur...@apache.org<mailto: > secur...@apache.org>" , this address is meant for coordinating > still-undisclosed potential vulnerabilities only. > > Can you please share the release plan for below mentioned CVEs: > > CVE-2023-34454 > > CVE-2023-34453 > > CVE-2022-42003 > > CVE-2022-42004 > > CVE-2023-34462 > > CVE-2023-35116 > > Regards, > Sahil > -- [image: Aiven] <https://www.aiven.io> *Josep Prat* Open Source Engineering Director, *Aiven* josep.p...@aiven.io | +491715557497 aiven.io <https://www.aiven.io> | <https://www.facebook.com/aivencloud> <https://www.linkedin.com/company/aiven/> <https://twitter.com/aiven_io> *Aiven Deutschland GmbH* Alexanderufer 3-7, 10117 Berlin Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, HRB 209739 B