Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-11227

Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Details

    • Bug
    • Status: Triage Needed
    • P1
    • Resolution: Fixed
    • 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
    • 2.30.0
    • build-system

    Description

      Description: Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0 » 0.3 uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.

      Affected Versions:
      Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.

       Recommendation/ Update Suggestion:
      Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.

       

      Attachments

        1. image (28).png
          28 kB
          Abel Matos
        2. image (28).png
          28 kB
          Abel Matos

        Activity

          People

            suztomo Tomo Suzuki
            bmbodj Boury Mbodj
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 163h
                163h

                Slack

                  Issue deployment