[
https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17728239#comment-17728239
]
Szucs Villo commented on ZOOKEEPER-4696:
----------------------------------------
There are 3 CVEs in the branch-3.8.1:
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
[ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3),
CVE-2023-26049(5.3)
[ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3),
CVE-2023-26049(5.3)
I think CVE-2022-45688 is false positive.
([https://github.com/jeremylong/DependencyCheck/actions/runs/5126385253])
CVE-2023-26048(5.3) and CVE-2023-26049(5.3) are tracked here:
https://issues.apache.org/jira/browse/ZOOKEEPER-4700.
> Update for Zookeeper latest version
> ------------------------------------
>
> Key: ZOOKEEPER-4696
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.8.0
> Reporter: Dilip anand
> Assignee: Szucs Villo
> Priority: Critical
> Labels: CVE
>
> Hi team,
> We ran a scan for security vulnerability fixes,we have seen CVE's that
> are affected for zookeeper and version of zookeeper we are using is 3.8.0
> .Here are the CVE's which are affected with zookeeper
> CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916
> which do not have any reports in red hat website. we want to know what
> version of zookeeper will clear these CVEs and when it'll be released?
> Regards,
> Dilip
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
