[ https://issues.apache.org/jira/browse/KAFKA-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17773985#comment-17773985 ]
Bruno Cadonna commented on KAFKA-15577: --------------------------------------- The vulnerability is in the H2 database engine and not directly in reload4j. H2 is a test dependency of reload4j. According to the [maven documentation|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope] the test scope is not transitive. Kafka does not pull in the vulnerability through reload4j as you can see by running the following command: {{./gradlew printAllDependencies | grep -C 4 ch.qos.reload4j}} > Reload4j | CVE-2022-45868 > ------------------------- > > Key: KAFKA-15577 > URL: https://issues.apache.org/jira/browse/KAFKA-15577 > Project: Kafka > Issue Type: Bug > Reporter: masood > Priority: Critical > > Maven indicates > [CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868] > in Reload4j.jar. > [https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.19] > Could you please verify if this vulnerability affects Kafka? -- This message was sent by Atlassian Jira (v8.20.10#820010)