search

obsidiandynamics / kafdrop

Kafka Web UI
Apache License 2.0
5.44k stars 833 forks source link

Latest Release with CVE Patching and Latest Fixes #652

Closed nerajchand closed 2 months ago

nerajchand commented 3 months ago

Firstly thank you for your continuous efforts and hard work on maintaining Kafdrop. It has been an invaluable tool for our Kafka ecosystem.

The latest release 4.0.1 contains a number of vulnerabilities (260 to be exact)

I've noticed among other issues raised, there seems to be some comments surrounding that the fix has already been merged into master, but unfortunately a new release hasn't been created since November 2023. ref: https://github.com/obsidiandynamics/kafdrop/issues/649#issuecomment-2167543565

Are you able to kindly please push this into a new release so we can take advantage of these fixes and security improvements πŸ™πŸΌ

Vulnerability Findings: 

260 vulnerabilities found
12 Critical (12 fixable)
15 High (15 fixable)
132 Medium (123 fixable)
81 Low (32 fixable)
20 Negligible (0 fixable)

               PACKAGE               TYPE  VERSION  SUGGESTED FIX  CRITICAL  HIGH  MEDIUM  LOW  NEGLIGIBLE  EXPLOIT
  org.springframework:spring-web     java  6.0.12      v6.0.17        3       0      0      0       0          3
  org.springframework:spring-web     java  6.0.12      v6.0.17        3       0      0      0       0          3
  org.springframework:spring-web     java  6.0.12      v6.0.17        3       0      0      0       0          3
  org.yaml:snakeyaml                 java   1.33        v2.0          1       0      0      0       0          0
  org.yaml:snakeyaml                 java   1.33        v2.0          1       0      0      0       0          0
  org.yaml:snakeyaml                 java   1.33        v2.0          1       0      0      0       0          0
  org.xerial.snappy:snappy-java      java  1.1.8.4    v1.1.10.1       0       4      0      0       0          0
  org.xerial.snappy:snappy-java      java  1.1.8.4    v1.1.10.1       0       4      0      0       0          0
  org.xerial.snappy:snappy-java      java  1.1.8.4    v1.1.10.1       0       4      0      0       0          0
  org.springframework:spring-webmvc  java  6.0.12      v6.0.14        0       1      0      0       0          0

Thank you so much ☺️

mikelorant commented 2 months ago

@Bert-R Any chance we could get the current master tagged as a release which would address these vulnerabilities?

Bert-R commented 2 months ago

@davideicardi You normally do the releases. Can you respond to this request?

davideicardi commented 2 months ago

@Bert-R yes, I can do it tomorrow! (But of course if you prefer to do it yourself for me is completely fine)

nerajchand commented 2 months ago

Amazing, Thank you πŸ‘