Snyk Scan Results in CVE: 2022-24823, 2023-34462, 2021-43797

[shines1011000]

I added the latest version of aws-msk-iam-auth to a bunch of my java services and Snyk reported multiple medium CVE(s) that are tied to the version of the AWS SDK the library is using:

software.amazon.msk:aws-msk-iam-auth@1.1.7 › software.amazon.awssdk:sso@2.19.26 › software.amazon.awssdk:netty-nio-client@2.19.26 › io.netty:netty-buffer@4.1.68.Final › io.netty:netty-common@4.1.68.Final

The following CVE(s) were reported:

• https://www.cve.org/CVERecord?id=CVE-2022-24823
  • Fixed in: io.netty:netty-common@4.1.77.Final
• https://www.cve.org/CVERecord?id=CVE-2023-34462
  • Fixed in: io.netty:netty-handler@4.1.94.Final
• https://www.cve.org/CVERecord?id=CVE-2021-43797
  • Fixed in: io.netty:netty-codec-http@4.1.71.Final

[hhkkxxx133]

Hello,

We have just released the new version 1.1.8 which upgrades to the latest AWS SDK. This should fix the CVEs mentioned.

Thanks!