2.1.1 release contains vulnerabilities through aws-sdk

aws / aws-msk-iam-auth

Enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters.

Apache License 2.0

138 stars 65 forks source link

2.1.1 release contains vulnerabilities through aws-sdk #179

Open jamielwhite opened 2 weeks ago

jamielwhite commented 2 weeks ago

My team upgraded to the latest release (2.1.1) hoping it would remediate a vulnerability flagged by our scanning software, but it's still identifying a vulnerability for CVE-2024-29025 through this path:

aws-msk-iam-auth-2.1.1-all.jar -> software.amazon.awssdk:2.23.3 -> netty-codec-http:4.1.100.Final

The vulnerability was remediated in netty-codec-http:4.1.108.Final, which is used as of awssdk version 2.25.19. Are there any plans to upgrade the aws-sdk version used by this library?

jvdadda commented 1 week ago

I made a PR about it: https://github.com/aws/aws-msk-iam-auth/pull/181

Do not hesitate to initiate it next time if you can.

And waiting the PR merge and release, you can manually upgrade awssdk version, there is no identified incompatibilities with newer versions

jamielwhite commented 1 week ago

Thanks! We are downloading the packaged jar directly from GitHub in some cases, so we aren't able to override the version in all of our apps.