You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Luke Chen (Jira)" <ji...@apache.org> on 2023/05/18 09:21:00 UTC
[jira] [Comment Edited] (KAFKA-15000) High vulnerability PRISMA-2023-0067 reported in jackson-core
[ https://issues.apache.org/jira/browse/KAFKA-15000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723867#comment-17723867 ]
Luke Chen edited comment on KAFKA-15000 at 5/18/23 9:20 AM:
------------------------------------------------------------
[~arushir] , where do you see this is a "high vulnerability"?
Looks like there's no CVE for it, so it's really hard to determine if it is a high severity vulnerability or not. Because it is a major version change from Jackson-core 2.14.x to 2.15.x, I don't think we will do this change at the last minute if it's not high severity vulnerability.
was (Author: showuon):
[~arushir] , where do you see this is a "high vulnerability"?
Looks like there's no CVE for it. It's really hard to determine if it is a high severity vulnerability or not. Because it is a major version change from Jackson-core 2.14.x to 2.15.x, I don't think we will do this change at the last minute if it's not high severity vulnerability.
> High vulnerability PRISMA-2023-0067 reported in jackson-core
> ------------------------------------------------------------
>
> Key: KAFKA-15000
> URL: https://issues.apache.org/jira/browse/KAFKA-15000
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.4.0, 3.3.2
> Reporter: Arushi Rai
> Priority: Critical
>
> Kafka is using jackson-core version 2.13.4 which has high vulnerability reported [PRISMA-2023-0067. |https://github.com/FasterXML/jackson-core/pull/827]
> This vulnerability is fix in Jackson-core 2.15.0 and Kafka should upgrade to the same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)