Closed glansbury closed 1 week ago
Two CVE's with cvss score of 9.8 identified in this library, please help update.
curl 7.86.0 https://github.com/advisories/GHSA-75qm-2q4j-qx6g https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.libcurl#L48
zlib 1.2.13 https://github.com/advisories/GHSA-mq29-j5xf-cjwr https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.zlib#L45
Review source code and links provided. Use any SBOM vulnerability scanner to validate that the libraries are being linked into build.
Initially I discovered this in confluent-kafka-go, however, I believe the vulnerability is coming from the C base library librdkafka
v2.3.0
N/A
linux (any base distro)
Related issue #4653
Another related issue in dotnet lib
Thank you for the report. We are in the process of resolving this issue.
Resolved in https://github.com/confluentinc/librdkafka/pull/4706
Description
Two CVE's with cvss score of 9.8 identified in this library, please help update.
curl 7.86.0 https://github.com/advisories/GHSA-75qm-2q4j-qx6g https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.libcurl#L48
zlib 1.2.13 https://github.com/advisories/GHSA-mq29-j5xf-cjwr https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.zlib#L45
How to reproduce
Review source code and links provided. Use any SBOM vulnerability scanner to validate that the libraries are being linked into build.
Initially I discovered this in confluent-kafka-go, however, I believe the vulnerability is coming from the C base library librdkafka
Checklist
v2.3.0
N/A
linux (any base distro)