Pavel Kuznetsov created KAFKA-13048: ---------------------------------------
Summary: Update vulnerable dependencies in 2.8.0 Key: KAFKA-13048 URL: https://issues.apache.org/jira/browse/KAFKA-13048 Project: Kafka Issue Type: Bug Components: core, KafkaConnect Affects Versions: 2.8.0 Reporter: Pavel Kuznetsov **Describe the bug** I checked kafka_2.13-2.8.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities. Here they are: - jetty-http-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-http:9.4.41.v20210516 - jetty-server-9.4.40.v20210413.jar has CVE-2021-28169 and CVE-2021-34428 vulnerabilities. The way to fix it is to upgrade to org.eclipse.jetty:jetty-server:9.4.41.v20210516 - jetty-servlets-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-servlets:9.4.41.v20210516 **To Reproduce** Download kafka_2.13-2.8.0.tgz and find jars, listed above. Check that these jars with corresponding versions are mentioned in corresponding vulnerability description. **Expected behavior** - jetty-http upgraded to 9.4.41.v20210516 or higher - jetty-server upgraded to 9.4.41.v20210516 or higher - jetty-servlets upgraded to 9.4.41.v20210516 or higher **Actual behaviour** - jetty-http is 9.4.40.v20210413 - jetty-server is 9.4.40.v20210413 - jetty-servlets is 9.4.40.v20210413 -- This message was sent by Atlassian Jira (v8.3.4#803005)