[ https://issues.apache.org/jira/browse/KAFKA-16645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Soarez resolved KAFKA-16645. --------------------------------- Assignee: Igor Soarez Resolution: Won't Fix The vulnerability has already been addressed in the base image, under the same image tag, so the next published Kafka images will not contain ship the vulnerability. We do not republish previous releases, so we're not taking any action here. > CVEs in 3.7.0 docker image > -------------------------- > > Key: KAFKA-16645 > URL: https://issues.apache.org/jira/browse/KAFKA-16645 > Project: Kafka > Issue Type: Task > Affects Versions: 3.7.0 > Reporter: Mickael Maison > Assignee: Igor Soarez > Priority: Blocker > Fix For: 3.8.0, 3.7.1 > > > Our [Docker Image CVE > Scanner|https://github.com/apache/kafka/actions/runs/8888874393] GitHub > action reports 2 high CVEs in our base image: > apache/kafka:3.7.0 (alpine 3.19.1) > ================================== > Total: 2 (HIGH: 2, CRITICAL: 0) > ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ > │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed > Version │ Title │ > ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ > │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ > 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │ > │ │ │ │ │ │ > │ https://avd.aquasec.com/nvd/cve-2023-52425 │ > │ ├────────────────┤ │ │ > ├───────────────┼─────────────────────────────────────────────────────────────┤ > │ │ CVE-2024-28757 │ │ │ │ > 2.6.2-r0 │ expat: XML Entity Expansion │ > │ │ │ │ │ │ > │ https://avd.aquasec.com/nvd/cve-2024-28757 │ > └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ > Looking at the > [KIP|https://cwiki.apache.org/confluence/display/KAFKA/KIP-975%3A+Docker+Image+for+Apache+Kafka#KIP975:DockerImageforApacheKafka-WhatifweobserveabugoracriticalCVEinthereleasedApacheKafkaDockerImage?] > that introduced the docker images, it seems we should release a bugfix when > high CVEs are detected. It would be good to investigate and assess whether > Kafka is impacted or not. -- This message was sent by Atlassian Jira (v8.20.10#820010)