[
https://issues.apache.org/jira/browse/RANGER-5023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903703#comment-17903703
]
Basapuram Kumar commented on RANGER-5023:
-----------------------------------------
Created Pull Request to address this CVE -
[RANGER-5023|https://github.com/apache/ranger/pull/425]
> Upgrade commons-io dependency to fix CVE-2024-47554
> -----------------------------------------------------
>
> Key: RANGER-5023
> URL: https://issues.apache.org/jira/browse/RANGER-5023
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 2.4.0, 2.5.0
> Reporter: Basapuram Kumar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *commons-io* can be upgraded from *2.11.0* to *2.16.0* to avoid
> {*}CVE-2024-47554{*}.
>
> CVE Reference -
> [CVE-2024-47554|https://nvd.nist.gov/vuln/detail/CVE-2024-47554]
> *+CVE-2024-47554 Description:+*
> Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The
> org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU
> resources when processing maliciously crafted input. This issue affects
> Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade
> to version 2.14.0 or later, which fixes the issue.
> Suggesting *2.16.1* as hadoop also runs on same version. Please let us know
> if it will be okay to move to latest version of *commons-io* to *2.18.0*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
