[jira] [Created] (RANGER-5023) Upgrade commons-io dependency to fix CVE-2024-47554

Basapuram Kumar (Jira) Fri, 06 Dec 2024 08:06:24 -0800

Basapuram Kumar created RANGER-5023:
---------------------------------------


             Summary: Upgrade  commons-io dependency to fix  CVE-2024-47554
                 Key: RANGER-5023
                 URL: https://issues.apache.org/jira/browse/RANGER-5023
             Project: Ranger
          Issue Type: Improvement
          Components: Ranger
    Affects Versions: 2.5.0, 2.4.0
            Reporter: Basapuram Kumar


*commons-io* can be upgraded from *2.11.0* to *2.16.0* to avoid 
{*}CVE-2024-47554{*}.

 

CVE Reference - [CVE-2024-47554|https://nvd.nist.gov/vuln/detail/CVE-2024-47554]



*+CVE-2024-47554 Description:+*
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The 
org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU 
resources when processing maliciously crafted input. This issue affects Apache 
Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 
2.14.0 or later, which fixes the issue.

Suggesting *2.16.1* as hadoop also runs on same version. Please let us know if 
it will be okay to move to latest version of *commons-io* to *2.18.0*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-5023) Upgrade commons-io dependency to fix CVE-2024-47554

Reply via email to