Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerabilities CVE-2024-29857 , CVE-2024-30171 and CVE-2024-30172 detected in ksql #10350

Open
bhargavyk2002 opened this issue May 22, 2024 · 2 comments
Open

High severity vulnerabilities CVE-2024-29857 , CVE-2024-30171 and CVE-2024-30172 detected in ksql #10350

bhargavyk2002 opened this issue May 22, 2024 · 2 comments
Labels
bug needs-triage

Comments

@bhargavyk2002
Copy link

Hi,
Anchore scan has detected 3 vulnerabilities from the package 'org.bouncycastle', These are being flagged as High severity even though no vulnerability score is present in NVD database.

  1. CVE-2024-29857
  2. CVE-2024-30171
  3. CVE-2024-30172

These packages are present in ksql as a dependency
org.bouncycastle:bcprov-jdk18on:jar
bouncycastle:bcpkix-jdk18on:jar

The mitigation is to upgrade to the fixed version i.e. 1.78
Are there any plans to upgrade these packages?
@janjwerner-confluent
Copy link
Member

@bhargavyk2002
Thank you for this issue. Those issues will be addressed in the quarterly patch release in Q2 2024

@voyc-jean
Copy link

@janjwerner-confluent the last release of ksql was 0.29.0 on 2023-06-22. Is an update still planned?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@voyc-jean @bhargavyk2002 @janjwerner-confluent