[
https://issues.apache.org/jira/browse/KAFKA-14983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17721352#comment-17721352
]
Divij Vaidya commented on KAFKA-14983:
--------------------------------------
There is a PR open for this [https://github.com/apache/kafka/pull/13673]
Although, I doubt that this will make it into 3.5.0 since it's past the code
freeze date. The vulnerabilities are moderate/low in nature. I will let folks
familiar with Connect framework chime in here but AFAIK, the first one impacts
servlets supporting multipart which we don't use in Kafka and second one
impacts cookie parsing, which again we don't use in Kafka.
Currently, we are targeting upgrading this dependency version in 3.6.0.
[~ChrisEgerton], since you are very much familiar with connect framework and
Jetty is used only in the connect framework, could you please validate that it
is ok to wait till 3.6.0 before fixing this CVE?
> Upgrade jetty-server to 9.4.51
> ------------------------------
>
> Key: KAFKA-14983
> URL: https://issues.apache.org/jira/browse/KAFKA-14983
> Project: Kafka
> Issue Type: Task
> Affects Versions: 3.4.0
> Reporter: Beltran
> Priority: Minor
> Fix For: 3.5.0
>
>
> Kafka latest versions e.g. 3.4.0 includes jetty-server-9.4.48.v20220622.jar
> that includes 2 vulnerabilities: CVE-2023-26048 and CVE-2023-26049. Upgrading
> them to 9.4.51 would fix those issues.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
