Hi, 1 + 2 Doesn't make sense -- We are on moment2.24.0, and we don't use jQuery 1.7, so I'd question the accuracy of the scanner.
3. No, that three year old CVE is not still an issue to 1.10.10 If you wish to discuss any of these in more detail, please do not do it on list -- security disclosures should by private, as per http://www.apache.org/security/ Thanks, Ash On Jun 3 2020, at 10:19 pm, Malik Lalani <[email protected]> wrote: > Hi Airflow Dev Team, > >> >>> >>> We are using airflow v1.10.10 at Salesforce. We ran NexusIQ and >>> found the following vulnerabilities in packages used in airflow: >>> >>> 1. package: moment:2.11.2 >>> vulnerabilities: sonatype-2016-0105, sonatype-2017-0422 >>> description: CVE-2017-18214 has been assigned to sonatype-2017-0422. >>> remediation: upgrade to 2.19.3 >>> >>> 2. package: jquery:1.7.2 >>> vulnerabilities: sonatype-2012-0009, sonatype-2014-0026, >>> sonatype-2019-0115, sonatype-2020-0187 >>> description: CVE-2012-6708 has been assigned to >>> sonatype-2012-0009, CVE-2019-11358 has been assigned to >>> sonatype-2019-0115, CVE-2020-11022 has been assigned to sonatype-2020-0187 >>> remediation: upgrade to 3.5.0 >>> >>> 3. CVE-2017-15720 >>> description: Vendor has a reason to believe that this >>> vulnerability applies to airflow v1.10.10 >>> >>> We wanted to know that can these packages be upgraded (1 and 2) to >>> resolve the vulnerabilities, and also we would really appreciate it >>> if the team can verify #3. Please let us know how we can provide >>> help in this regard. We have attached vulnerability reports with >>> this email. >>> >>> Thanks, >>> - MALIK >>> Software Engineering SMTS | Salesforce >>>
