search

datastax / dsbulk

DataStax Bulk Loader (DSBulk) is an open-source, Apache-licensed, unified tool for loading into and unloading from Apache Cassandra(R), DataStax Astra and DataStax Enterprise (DSE)
Apache License 2.0
85 stars 30 forks source link

Vulnerabilities on DSBulk 1.11.0 #499

Open dbapramod882 opened 4 months ago

dbapramod882 commented 4 months ago

Hi Team,

Vulnerabilities detected, in which version can it be resolved.

CVE-2023-44487 Critical dsbulk-1.11.0/lib/netty-codec-http2-4.1.94.Final.jar CVE-2023-35116 Low dsbulk-1.11.0/lib/jackson-databind-2.13.3.jar CVE-2024-25710 Low dsbulk-1.11.0/lib/commons-compress-1.21.jar CVE-2024-26308 Low dsbulk-1.11.0/lib/commons-compress-1.21.jar CVE-2023-43642 Medium dsbulk-1.11.0/lib/snappy-java-1.1.7.3.jar CVE-2022-42003 Medium dsbulk-1.11.0/lib/jackson-databind-2.13.3.jar CVE-2023-5072 Medium dsbulk-1.11.0/lib/json-20220320.jar CVE-2023-34454 Medium dsbulk-1.11.0/lib/snappy-java-1.1.7.3.jar CVE-2023-34455 Medium dsbulk-1.11.0/lib/snappy-java-1.1.7.3.jar CVE-2023-34453 Medium dsbulk-1.11.0/lib/snappy-java-1.1.7.3.jar CVE-2023-6378 Medium dsbulk-1.11.0/lib/logback-classic-1.2.11.jar CVE-2022-42004 Medium dsbulk-1.11.0/lib/jackson-databind-2.13.3.jar CVE-2022-45688 Medium dsbulk-1.11.0/lib/json-20220320.jar

Thanks Pramod P

absurdfarce commented 4 months ago

Thanks @dbapramod882 !

I'll note that there are a few things mentioned here that aren't covered in #497