Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Elasticsearch Java version has a vulnerability CVE-2023-46673, CVE-2023-46674, CVE-2023-31419, CVE-2023-31417, CVE-2023-31418 #21782

Open
1 of 2 tasks
nikhil-ctds opened this issue Dec 21, 2023 · 1 comment
Open
1 of 2 tasks

[Bug] Elasticsearch Java version has a vulnerability CVE-2023-46673, CVE-2023-46674, CVE-2023-31419, CVE-2023-31417, CVE-2023-31418 #21782

nikhil-ctds opened this issue Dec 21, 2023 · 1 comment
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@nikhil-ctds
Copy link

nikhil-ctds commented Dec 21, 2023
edited
Loading

Search before asking

  • I searched in the issues and found nothing similar.

Version

For pulsar version: 3.1.2 on branch: branch-3.1 facing moderate vulnerability
CVE-2023-46673, CVE-2023-46674, CVE-2023-31419, CVE-2023-31417, CVE-2023-31418, related to packages:

  • org.elasticsearch:elasticsearch
  • org.elasticsearch:elasticsearch-hadoop
  • co.elastic.clients:elasticsearch-java

Below is the versions available in pulsar -

  • <elasticsearch-java.version>8.5.2</elasticsearch-java.version>

Maven Dependency

  • pulsar - org.apache.pulsar 3.1.2

Minimal reproduce step

Run Pulsar CI workflow on pulsar branch - branch-3.1

What did you expect to see?

Expected to pass the OWASP dependency check under Pulsar CI workflow.

What did you see instead?

Vulnerability

 Error:  Failed to execute goal org.owasp:dependency-check-maven:8.2.1:aggregate (default) on project pulsar: 
 Error:  
 Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
 Error:  
 Error:  elasticsearch-java-8.5.2.jar: CVE-2023-46673(7.5), CVE-2023-46674(7.8), CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
 Error:  elasticsearch-rest-client-8.5.2.jar: CVE-2023-46673(7.5), CVE-2023-46674(7.8), CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)

Anything else?

No response

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@nikhil-ctds nikhil-ctds added the type/bug The PR fixed a bug or issue reported a bug label Dec 21, 2023
@nikhil-ctds nikhil-ctds mentioned this issue May 1, 2024
Closed
2 tasks
@nikhilerigila09 nikhilerigila09 mentioned this issue May 3, 2024
Merged
15 tasks
@hpvd
Copy link

hpvd commented May 8, 2024

see also ongoing discussion #19093 (comment)
and upvote it if you also think this is important.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hpvd @nikhil-ctds