Closed lathspell closed 3 years ago
There doesn't appear to be a newer version of org.apache.thrift:libthrift
on Maven Central
On https://thrift.apache.org/download a maven artefact with version 0.14.0 is mentioned. It's not yet on https://repo.maven.apache.org/maven2/org/apache/thrift/libthrift/ though. I'll asked on https://issues.apache.org/jira/browse/THRIFT-5359
The Thrift maintainers managed to release 0.14.0, it's already on repository.apache.org and should be available on Maven Central in a couple of hours.
This looks like it has been resolved in io.jaegertracing:jaeger-client:jar:1.6.0.
The OWASP dependency checker reports:
libthrift-0.13.0.jar (pkg:maven/org.apache.thrift/libthrift@0.13.0, cpe:2.3:a:apache:thrift:0.13.0:*:*:*:*:*:*:*) : CVE-2020-13949
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-13949
The dependency tree looks like: