search

confluentinc / schema-registry

Confluent Schema Registry for Kafka
https://docs.confluent.io/current/schema-registry/docs/index.html
Other
2.23k stars 1.11k forks source link

CVE-2024-47554 in latest version of Schema Registry #3317

Open jotamartos opened 1 month ago

jotamartos commented 1 month ago

Hi team,

Running a Trivy vulnerabilities scan through the schema-registry container image returned some CVEs affecting the latest releases. Could you confirm whether Schema Registry is affected by this vulnerability and if so, are there plans to update the related dependencies?

Steps to reproduce:

$ trivy image confluentinc/cp-schema-registry
...
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ commons-io:commons-io (acl-7.7.1.jar)                        │ CVE-2024-47554 │ HIGH     │        │ 2.11.0            │ 2.14.0                 │ apache-commons-io: Possible denial of service attack on    │
│                                                              │                │          │        │                   │                        │ untrusted input to XmlStreamReader                         │
│                                                              │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2024-47554                 │
├──────────────────────────────────────────────────────────────┤                │          │        │                   │                        │                                                            │
│ commons-io:commons-io (commons-io-2.11.0.jar)                │                │          │        │                   │                        │                                                            │
│                                                              │                │          │        │                   │                        │                                                            │
│                                                              │                │          │        │                   │                        │                                                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
...

Thanks