Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-14198

Release package contains snakeyaml 1.30

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.3.0
    • 3.3.0
    • None
    • None

    Description

      snakeyaml 1.30 is vulnerable to CVE-2022-25857: https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

      It looks like we pull this dependency because of swagger. It's unclear how or even if this can be exploited in Kafka but it's flagged by scanning tools.

      I wonder if we could make the swagger dependencies compile time only and avoid shipping them.

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. KAFKA-13780 Generate docs for Connect REST API

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #12609

          Web Link GitHub Pull Request #12616

          Activity

            People

              ijuma Ismael Juma
              mimaison Mickael Maison
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: