[
https://issues.apache.org/jira/browse/ZOOKEEPER-4998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18046529#comment-18046529
]
Dávid Paksy commented on ZOOKEEPER-4998:
----------------------------------------
HI Paul,
Many thanks for reporting these.
The jline 2.x library is already upgraded under
https://issues.apache.org/jira/browse/ZOOKEEPER-3938
> CVE vulnerabilities in zookeeper 3.9.4
> --------------------------------------
>
> Key: ZOOKEEPER-4998
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4998
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.9.4
> Reporter: Paul Shuttlewood
> Priority: Major
>
> We are installing Zookeeper 3.9.4 on a production server which regularly
> undergoes OWASP dependency-check scanning.
> This scan is detecting 6 vulnerabilities (2x high, 4x medium) with Zookeeper
> libraries:
> CVE-2025-11226 - HIGH -
> apache-zookeeper-3.9.4-bin\\lib\\logback-core-1.3.15.jar
> CVE-2025-55163 - HIGH -
> apache-zookeeper-3.9.4-bin\\lib\\netty-transport-4.1.119.Final.jar
> CVE-2023-35116 - MEDIUM -
> apache-zookeeper-3.9.4-bin\\lib\\jackson-databind-2.15.2.jar
> CVE-2023-50572 - MEDIUM - apache-zookeeper-3.9.4-bin\\lib\\jline-2.14.6.jar
> CVE-2024-6763 - MEDIUM -
> apache-zookeeper-3.9.4-bin\\lib\\jetty-http-9.4.57.v20241219.jar
> CVE-2025-58057 - MEDIUM -
> apache-zookeeper-3.9.4-bin\\lib\\netty-transport-4.1.119.Final.jar
> Can you provide any details of when you plan to release a new version that
> will fix some/all of these CVE issues?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
