Basapuram Kumar created RANGER-5023:
---------------------------------------
Summary: Upgrade commons-io dependency to fix CVE-2024-47554
Key: RANGER-5023
URL: https://issues.apache.org/jira/browse/RANGER-5023
Project: Ranger
Issue Type: Improvement
Components: Ranger
Affects Versions: 2.5.0, 2.4.0
Reporter: Basapuram Kumar
*commons-io* can be upgraded from *2.11.0* to *2.16.0* to avoid
{*}CVE-2024-47554{*}.
CVE Reference - [CVE-2024-47554|https://nvd.nist.gov/vuln/detail/CVE-2024-47554]
*+CVE-2024-47554 Description:+*
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The
org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU
resources when processing maliciously crafted input. This issue affects Apache
Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version
2.14.0 or later, which fixes the issue.
Suggesting *2.16.1* as hadoop also runs on same version. Please let us know if
it will be okay to move to latest version of *commons-io* to *2.18.0*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
