Merge pull request #7930 from microsoft/users/v-shufeng/fix-202309-cve

fix 202309 CVE
microsoft · Oct 11, 2023 · e8093b7 · e8093b7
2 parents 9d61554 + e16c550
commit e8093b7
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/Utils/azure-toolkit-ide-hdinsight-libs/pom.xml b/Utils/azure-toolkit-ide-hdinsight-libs/pom.xml
@@ -22,7 +22,7 @@
         <azure.toolkit-lib.version>0.38.0-SNAPSHOT</azure.toolkit-lib.version>
         <azure.toolkit-ide-lib.version>0.38.0-SNAPSHOT</azure.toolkit-ide-lib.version>
         <hdinsight.toolkit-ide-lib.version>0.1.0</hdinsight.toolkit-ide-lib.version>
-        <jetty.version>9.4.51.v20230217</jetty.version>
+        <jetty.version>9.4.53.v20231009</jetty.version>
         <woodstox.version>6.4.0</woodstox.version>
         <hadoop.version>3.3.3</hadoop.version>
         <snappyjava.version>1.1.10.4</snappyjava.version>
@@ -111,13 +111,22 @@
                         <groupId>org.xerial.snappy</groupId>
                         <artifactId>snappy-java</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.avro</groupId>
+                        <artifactId>avro</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency><!-- hadoop-common 3.3.3 CVE-2023-34455 -->
                 <groupId>org.xerial.snappy</groupId>
                 <artifactId>snappy-java</artifactId>
                 <version>${snappyjava.version}</version>
             </dependency>
+            <dependency><!-- hadoop-common 3.3.3 CVE-2023-39410 -->
+                <groupId>org.apache.avro</groupId>
+                <artifactId>avro</artifactId>
+                <version>1.11.3</version>
+            </dependency>
             <dependency><!--CVE-2022-40153-->
                 <groupId>com.fasterxml.woodstox</groupId>
                 <artifactId>woodstox-core</artifactId>