This is an automated email from the ASF dual-hosted git repository.
capistrant pushed a commit to branch 34.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/34.0.0 by this push:
new e0ce439a3e0 Supress hadoop shaded jetty cve that is not exploitable in
druid (#18354) (#18363)
e0ce439a3e0 is described below
commit e0ce439a3e0d0367fc711566aabdcdc6589b6498
Author: Lucas Capistrant <[email protected]>
AuthorDate: Mon Aug 4 09:08:15 2025 -0500
Supress hadoop shaded jetty cve that is not exploitable in druid (#18354)
(#18363)
---
owasp-dependency-check-suppressions.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 201a500543c..6476c18b579 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -143,6 +143,7 @@
<cve>CVE-2024-29131</cve> <!-- This seems to be a legitimate
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk
v2 dependency work to finish -->
<cve>CVE-2024-22201</cve> <!-- This seems to be a legitimate
vulnerability. We would need to go to a hadoop-client which was not yet
released -->
<cve>CVE-2025-52999</cve> <!-- This is vulneraability in all versions of
hadoop-client-runtime and has not been fixed by hadoop yet -->
+ <cve>CVE-2024-9823</cve> <!-- This is in hadoop's shadded jetty. no
version of hadoop has updated to fixed version. It is a jetty server vuln,
which should not be exploitable in hadoop client code -->
</suppress>
<!-- those are false positives, no other tools report any of those CVEs in
the hadoop package -->
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
