confluentinc / librdkafka

The Apache Kafka C/C++ library

Other

7.37k stars 3.11k forks source link

Critical Vulnerabilities identified in librdkafka #4664

Closed glansbury closed 1 week ago

glansbury commented 3 months ago

Description

Two CVE's with cvss score of 9.8 identified in this library, please help update.

curl 7.86.0 https://github.com/advisories/GHSA-75qm-2q4j-qx6g https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.libcurl#L48

zlib 1.2.13 https://github.com/advisories/GHSA-mq29-j5xf-cjwr https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.zlib#L45

How to reproduce

Review source code and links provided. Use any SBOM vulnerability scanner to validate that the libraries are being linked into build.

Initially I discovered this in confluent-kafka-go, however, I believe the vulnerability is coming from the C base library librdkafka

Checklist

[x] librdkafka version: v2.3.0
[x] librdkafka client configuration: N/A
[x] Operating system: linux (any base distro)
[x] Provide logs - N/A. links to source code and CVSS all that is required
[x] Provide broker log excerpts : N/A
[ ] Critical issue: 9.8 CVSS vulnerabilities.

mikajylha commented 2 months ago

Related issue #4653

mikajylha commented 2 months ago

Another related issue in dotnet lib

janjwerner-confluent commented 1 month ago

Thank you for the report. We are in the process of resolving this issue.

janjwerner-confluent commented 1 week ago

Resolved in https://github.com/confluentinc/librdkafka/pull/4706