search

redpanda-data / connect

Fancy stream processing made operationally mundane
https://docs.redpanda.com/redpanda-connect/about/
8.08k stars 813 forks source link

CVEs observed in benthos image #2157

Open Rajendra08 opened 11 months ago

Rajendra08 commented 11 months ago

Benthos code is internally using influxdb1-client. https://github.com/benthosdev/benthos/blob/v4.22.0/go.mod#L61

This version of influxdb1-client has two security vulnerabilities.

https://nvd.nist.gov/vuln/detail/CVE-2022-36640 https://nvd.nist.gov/vuln/detail/CVE-2019-20933

Need to resolve these issues.

Jeffail commented 11 months ago

Hey @Rajendra08, there's no version to upgrade to for that package so we're blocked until they get fixes out, you need to raise this with them at: https://github.com/influxdata/influxdb1-client.

In the meantime it's possible to create your own build of benthos where the influxdb components aren't included, there's an example at: https://github.com/benthosdev/benthos-plugin-example/blob/master/main.go#L9

danriedl commented 3 months ago

Hi @Rajendra08, where did you get the link between both CVEs and the influxdb1-client? Both of them do report a vulnerability in the InfluxDB itself, but not in the client.

Please check again and close the issue, if it is the case.