Details

    Description

      CVE-2024-47554 is fixed in that version of the library. Could please you confirm whether Zookeeper is affected by this vulnerability and if so, are there any plans to update the dependency?

      Java (jar)
      ==========
      Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
      ┌───────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
      │                    Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
      ├───────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
      │ commons-io:commons-io (commons-io-2.11.0.jar) │ CVE-2024-47554 │ HIGH     │ fixed  │ 2.11.0            │ 2.14.0        │ apache-commons-io: Possible denial of service attack on │
      │                                               │                │          │        │                   │               │ untrusted input to XmlStreamReader                      │
      │                                               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-47554              │
      └───────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘ 
      

      Steps to reproduce

      trivy image zookeeper:3.9
      

      Attachments

        Activity

          andor Andor Molnar added a comment -

          Issue resolved by pull request 2197
          https://github.com/apache/zookeeper/pull/2197

          andor Andor Molnar added a comment - Issue resolved by pull request 2197 https://github.com/apache/zookeeper/pull/2197
          tison Zili Chen added a comment - - edited

          FYI, ZK isn't affected by this CVE. But bump version to reduce friction is valuable so we bump it and make scanners happy.

          tison Zili Chen added a comment - - edited FYI, ZK isn't affected by this CVE. But bump version to reduce friction is valuable so we bump it and make scanners happy.
          jotamartos Jota Martos added a comment -

          Thank you for confirming the solution is not affected and for updating the dependency too.

          jotamartos Jota Martos added a comment - Thank you for confirming the solution is not affected and for updating the dependency too.

          People

            tison Zili Chen
            jotamartos Jota Martos
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 10m
                1h 10m