I couldn't find the repository for com.izettle:metrics-influxdb:1.3.4, but there's a known CVE (CVE-2021-38153) for version 2.8.0 of its dependency kafka-clients, detailed here:
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Are there any plans to upgrade to the fixing version 2.8.1?
I couldn't find the repository for
com.izettle:metrics-influxdb:1.3.4
, but there's a known CVE (CVE-2021-38153) for version2.8.0
of its dependencykafka-clients
, detailed here:Are there any plans to upgrade to the fixing version
2.8.1
?