High severity vulnerabilities CVE-2024-29857 , CVE-2024-30171 and CVE-2024-30172 detected in ksql

confluentinc / ksql

The database purpose-built for stream processing applications.

https://ksqldb.io

Other

80 stars 1.04k forks source link

High severity vulnerabilities CVE-2024-29857 , CVE-2024-30171 and CVE-2024-30172 detected in ksql #10350

Open bhargavyk2002 opened 3 months ago

bhargavyk2002 commented 3 months ago

Hi, Anchore scan has detected 3 vulnerabilities from the package 'org.bouncycastle', These are being flagged as High severity even though no vulnerability score is present in NVD database.

CVE-2024-29857
CVE-2024-30171
CVE-2024-30172

These packages are present in ksql as a dependency org.bouncycastle:bcprov-jdk18on:jar bouncycastle:bcpkix-jdk18on:jar

The mitigation is to upgrade to the fixed version i.e. 1.78 Are there any plans to upgrade these packages?

janjwerner-confluent commented 2 months ago

@bhargavyk2002 Thank you for this issue. Those issues will be addressed in the quarterly patch release in Q2 2024