[
https://issues.apache.org/jira/browse/HBASE-29651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain resolved HBASE-29651.
--------------------------------
Hadoop Flags: Reviewed
Resolution: Fixed
Thank you [~xavierfernandis] for raising the issue and your first contribution
in Apache HBase.
> Bump jruby to 9.4.14.0 to fix multiple CVEs
> -------------------------------------------
>
> Key: HBASE-29651
> URL: https://issues.apache.org/jira/browse/HBASE-29651
> Project: HBase
> Issue Type: Bug
> Components: jruby, security
> Reporter: Xavier Fernandis
> Assignee: Xavier Fernandis
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.0, 3.0.0-beta-2
>
>
> h2. Overview
> Sonatype security scan has identified multiple vulnerabilities in our current
> JRuby version 9.4.12.1. These vulnerabilities pose security risks and require
> immediate remediation through version upgrade.
> h2. Impact Assessment
> * *High Risk:* 3 critical vulnerabilities with CVSS 7+ scores
> * *Attack Vectors:* Denial of Service, Memory Exhaustion, Regular Expression
> DoS
> * *Affected Components:* CGI gem, Net::IMAP library, REXML parser
> * *Business Impact:* Potential service disruption, resource exhaustion
> h2. Confirmed Fixes
> * *CVE-2025-27219 & CVE-2025-27220:* Fixed in JRuby 9.4.14.0 (CGI gem
> updated [https://github.com/jruby/jruby/pull/8954])
> * *CVE-2025-43857:* Fixed in JRuby 9.4.13.0 (Net::IMAP updated to 0.2.5
> [https://github.com/jruby/jruby/pull/8827])
> h2. References
> - [JRuby 9.4.14.0 Release
> Notes]([https://github.com/jruby/jruby/releases/tag/9.4.14.0])
> - [CVE-2025-27219 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27219])
> - [CVE-2025-27220 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27220])
> - [CVE-2025-43857 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-43857])
> h2. Action required
> *Upgrade JRuby from 9.4.12.1 to 9.4.14.0 (minimum safe version)*
> h2.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
