Hi Team, Any update regarding for below CVEs, when these can be fixed? > CVE-2022-42003 > > CVE-2022-42004
Regards, Sahil -----Original Message----- From: Josep Prat <josep.p...@aiven.io.INVALID> Sent: Thursday, December 7, 2023 3:08 PM To: users@kafka.apache.org Subject: Re: Fix for CVEs Hi Sahil, Regarding CVE-2023-31582 it affects jose4j versions prior to 0.9.3 (not included). Apache Kafka has been using jose4j version 0.9.3 for a while now, it was introduced in this commit[1] on May 13. Since Kafka 3.4.1 all versions have been shipped with jose4j 0.9.3. Please note that NVE's CVE page[2] states that this affects "Up to (excluding): 0.9.3". Also, jose4j release notes[3] specify that this specific vulnerability was fixed on 0.9.3. How did you detect that Kafka was affected by CVE-2023-31582? Best, [1]: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b5c59152cc7ce255&q=1&e=cf912bd9-c285-46b5-8dd3-1128f357b943&u=https%3A%2F%2Fgithub.com%2Fapache%2Fkafka%2Fcommit%2Ffa7818dff5a28048401654a7497e56dbc988b755 [2]: https://nvd.nist.gov/vuln/detail/CVE-2023-31582#range-9713327 [3]: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-20812dac4e721e52&q=1&e=cf912bd9-c285-46b5-8dd3-1128f357b943&u=https%3A%2F%2Fbitbucket.org%2Fb_c%2Fjose4j%2Fwiki%2FRelease%2520Notes On Thu, Dec 7, 2023 at 10:00 AM Sahil Sharma D <sahil.d.sha...@ericsson.com.invalid> wrote: > Hi team, > > There are another vulnerability we detected, can you please share > Kafka is planning to fix this vulnerability: > CVE-2023-31582 > GHSA-jgvc-jfgh-rjvv > > Regards, > Sahil > From: Sahil Sharma D > Sent: 17 October 2023 02:45 PM > To: 'users@kafka.apache.org' <users@kafka.apache.org> > Subject: RE: Fix for CVEs > > Hi Team, > > There is another vulnerability we detected CVE-2023-4586, can you > please share Kafka is planning to fix this vulnerability and CVEs > mentioned in mail trail > > Regards, > Sahil > > From: Sahil Sharma D > Sent: 14 September 2023 05:51 PM > To: 'users@kafka.apache.org' <users@kafka.apache.org<mailto: > users@kafka.apache.org>> > Subject: Fix for CVEs > > Hi Team, > > As suggested earlier I tried to reach "secur...@apache.org<mailto: > secur...@apache.org>" , this address is meant for coordinating > still-undisclosed potential vulnerabilities only. > > Can you please share the release plan for below mentioned CVEs: > > CVE-2023-34454 > > CVE-2023-34453 > > CVE-2022-42003 > > CVE-2022-42004 > > CVE-2023-34462 > > CVE-2023-35116 > > Regards, > Sahil > -- [image: Aiven] <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=cf912bd9-c285-46b5-8dd3-1128f357b943&u=https%3A%2F%2Fwww.aiven.io%2F> *Josep Prat* Open Source Engineering Director, *Aiven* josep.p...@aiven.io | +491715557497 aiven.io <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=cf912bd9-c285-46b5-8dd3-1128f357b943&u=https%3A%2F%2Fwww.aiven.io%2F> | <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-83e1421cb9381159&q=1&e=cf912bd9-c285-46b5-8dd3-1128f357b943&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-47703186230bc4bd&q=1&e=cf912bd9-c285-46b5-8dd3-1128f357b943&u=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Faiven%2F> <https://twitter.com/aiven_io> *Aiven Deutschland GmbH* Alexanderufer 3-7, 10117 Berlin Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, HRB 209739 B
