[
https://issues.apache.org/jira/browse/ZOOKEEPER-4868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated ZOOKEEPER-4868:
--------------------------------------
Labels: pull-request-available (was: )
> Bump commons-io library to 2.14.0
> ---------------------------------
>
> Key: ZOOKEEPER-4868
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4868
> Project: ZooKeeper
> Issue Type: Task
> Components: server
> Affects Versions: 3.8.4, 3.9.2
> Reporter: Jota Martos
> Priority: Major
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> CVE-2024-47554 is fixed in that version of the library. Could please you
> confirm whether Zookeeper is affected by this vulnerability and if so, are
> there any plans to update the dependency?
> {code}
> Java (jar)
> ==========
> Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
> ┌───────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
> │ Library │ Vulnerability │ Severity │
> Status │ Installed Version │ Fixed Version │ Title
> │
> ├───────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
> │ commons-io:commons-io (commons-io-2.11.0.jar) │ CVE-2024-47554 │ HIGH │
> fixed │ 2.11.0 │ 2.14.0 │ apache-commons-io: Possible
> denial of service attack on │
> │ │ │ │
> │ │ │ untrusted input to
> XmlStreamReader │
> │ │ │ │
> │ │ │
> https://avd.aquasec.com/nvd/cve-2024-47554 │
> └───────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘
>
> {code}
> h4. Steps to reproduce
> {code}
> trivy image zookeeper:3.9
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
