search

elastic / elasticsearch-hadoop

:elephant: Elasticsearch real-time search and analytics natively integrated with Hadoop
https://www.elastic.co/products/hadoop
Apache License 2.0
1.93k stars 986 forks source link

[Bug][CVE-2019-10172] found CVE in the latest release 8.12.2 and 8.9.1 #2201

Open trend-greta-pan opened 3 months ago

trend-greta-pan commented 3 months ago
### What kind an issue is this? - [X] Bug report. If you’ve found a bug, please provide a code snippet or test to reproduce it below. The easier it is to track down the bug, the faster it is solved. - [ ] Feature Request. Start by telling us what problem you’re trying to solve. Often a solution already exists! Don’t send pull requests to implement new features without first getting our support. Sometimes we leave features out on purpose to keep the project small.

Issue description

scan the jar built from the latest release 8.12.2 and latest release for scala 2.12 8.9.1, find CVE-2019-10172 jar location: https://mvnrepository.com/artifact/org.elasticsearch/elasticsearch-spark-30_2.12

Steps to reproduce

Code:

Test/code snippet

Strack trace: NA, black duck scan result

Stack trace goes here

Version Info

OS: :
JVM :
Hadoop/Spark:
ES-Hadoop : elasticsearch-spark-30_2.12-8.9.1.jar, elasticsearch-spark-30_2.13-8.12.2.jar ES :

Feature description

masseyke commented 3 months ago

Hi @trend-greta-pan. I see that CVE-2019-10172 is related to org.codehaus.jackson:jackson-mapper-asl:1.9.x, which is not delivered in the artifact you linked (or any es-hadoop artifact that I'm aware of). Was that the correct CVE?