From 4a5953640fd93f8ecac39c7713851ac4c1ab902b Mon Sep 17 00:00:00 2001
From: Nikhil Erigila <60037808+nikhilerigila09@users.noreply.github.com>
Date: Sat, 4 May 2024 02:00:28 +0530
Subject: [PATCH] [fix][sec] Upgrade Debezium oracle connector version to avoid
 CVE-2023-4586 (#22641)

---
 pom.xml                           | 1 +
 pulsar-io/debezium/oracle/pom.xml | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 048bc952466b3..4bfdc54e55d31 100644
--- a/pom.xml
+++ b/pom.xml
@@ -198,6 +198,7 @@ flexible messaging model and an intuitive client API.</description>
     <opensearch.version>1.2.4</opensearch.version>
     <elasticsearch-java.version>8.5.2</elasticsearch-java.version>
     <debezium.version>1.9.7.Final</debezium.version>
+    <debezium.oracle.version>2.2.0.Final</debezium.oracle.version>
     <debezium.postgresql.version>42.5.0</debezium.postgresql.version>
     <debezium.mysql.version>8.0.30</debezium.mysql.version>
     <!-- Override version that brings CVE-2022-3143 with debezium -->
diff --git a/pulsar-io/debezium/oracle/pom.xml b/pulsar-io/debezium/oracle/pom.xml
index c69640ecff72f..b22a5785dfbe6 100644
--- a/pulsar-io/debezium/oracle/pom.xml
+++ b/pulsar-io/debezium/oracle/pom.xml
@@ -48,7 +48,8 @@
     <dependency>
       <groupId>io.debezium</groupId>
       <artifactId>debezium-connector-oracle</artifactId>
-      <version>${debezium.version}</version>
+      <version>${debezium.oracle.version}</version>
+      <scope>runtime</scope>
     </dependency>
 
   </dependencies>