Pavel Kuznetsov created KAFKA-13048:
---------------------------------------
Summary: Update vulnerable dependencies in 2.8.0
Key: KAFKA-13048
URL: https://issues.apache.org/jira/browse/KAFKA-13048
Project: Kafka
Issue Type: Bug
Components: core, KafkaConnect
Affects Versions: 2.8.0
Reporter: Pavel Kuznetsov
**Describe the bug**
I checked kafka_2.13-2.8.0.tgz distribution with WhiteSource and find out that
some libraries have vulnerabilities.
Here they are:
- jetty-http-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to
fix it is to upgrade to org.eclipse.jetty:jetty-http:9.4.41.v20210516
- jetty-server-9.4.40.v20210413.jar has CVE-2021-28169 and CVE-2021-34428
vulnerabilities. The way to fix it is to upgrade to
org.eclipse.jetty:jetty-server:9.4.41.v20210516
- jetty-servlets-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way
to fix it is to upgrade to org.eclipse.jetty:jetty-servlets:9.4.41.v20210516
**To Reproduce**
Download kafka_2.13-2.8.0.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in
corresponding vulnerability description.
**Expected behavior**
- jetty-http upgraded to 9.4.41.v20210516 or higher
- jetty-server upgraded to 9.4.41.v20210516 or higher
- jetty-servlets upgraded to 9.4.41.v20210516 or higher
**Actual behaviour**
- jetty-http is 9.4.40.v20210413
- jetty-server is 9.4.40.v20210413
- jetty-servlets is 9.4.40.v20210413
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
