Critical Description
The following vulnerabilities exist in the packages bundled by Avro. These packages need to be upgraded to the latest versions. Although a few of these vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt to address the backwards compatibility issue in AVRO-1605 there does not appear to be a resolution. If there is no resolution on these issues, we may be forced to fork based on this PR.
org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these critical / high vulns:
https://nvd.nist.gov/vuln/detail/CVE-2018-7489
https://nvd.nist.gov/vuln/detail/CVE-2017-15095
https://nvd.nist.gov/vuln/detail/CVE-2017-7525
https://nvd.nist.gov/vuln/detail/CVE-2017-17485
https://nvd.nist.gov/vuln/detail/CVE-2018-5968
org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high vulnerability:
- https://nvd.nist.gov/vuln/detail/CVE-2016-7051
org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
- https://nvd.nist.gov/vuln/detail/CVE-2018-11771
com.google.guava:guava:11.0.2
-https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Attachments
Issue Links
- is superceded by
-
AVRO-2265 Remove Guava as a dependency
-
- Resolved
-
- links to