The latest ekuiper v.1.14.2 has a high severity vulnerability [CVE-2024-28180]

lf-edge / ekuiper

Lightweight data stream processing engine for IoT edge

https://ekuiper.org

Apache License 2.0

1.45k stars 411 forks source link

The latest ekuiper v.1.14.2 has a high severity vulnerability [CVE-2024-28180] #3142

Open mark-miller-dev opened 3 weeks ago

mark-miller-dev commented 3 weeks ago

The latest Ekuiper version v.1.14.2 has a high severity vulnerability [CVE-2024-28180] [gopkg.in/square/go-jose.v2] [v2.6.0] which is release blocker for our project. The recommended fixed version >=2.6.3 ("This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3."(c)) E.g, the resource - https://github.com/go-jose/go-jose/tree/v2.6.3, the dependency - github.com/go-jose/go-jose/v2 v2.6.3

Could you please make this upgrade in the Ekuiper's go.mod?

Thanks,Mark

Yisaer commented 3 weeks ago

Hi @mark-miller-dev :

ekuiper introduced gopkg.in/square/go-jose.v2 v2.6.0 // indirect by github.com/openziti/sdk-golang v0.23.37, so we need the latest github.com/openziti/sdk-golang upgrade go-jose to v2.6.3

OlgasAcc commented 3 weeks ago

Hi @mark-miller-dev, @Yisaer, I see the corresponding PR is already open in openziti's repo a 2 weeks ago: https://github.com/zitadel/oidc/pull/630 for the issue https://github.com/openziti/sdk-golang/issues/607, but still not merged