Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-11227

Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P1
    • Resolution: Fixed
    • Affects Version/s: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
    • Fix Version/s: 2.30.0
    • Component/s: build-system
    • Labels:

      Description

      Description: Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0 » 0.3 uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.

      Affected Versions:
      Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.

       Recommendation/ Update Suggestion:
      Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.

       

        Attachments

        1. image (28).png
          28 kB
          Abel Matos
        2. image (28).png
          28 kB
          Abel Matos

          Activity

            People

            • Assignee:
              suztomo Tomo Suzuki
              Reporter:
              bmbodj Boury Mbodj
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 163h
                163h