logging-flume icon indicating copy to clipboard operation
logging-flume copied to clipboard

Published 20 hours ago verified publisher icon apache

[FLUME-3472] fix vulnerability CVE 2020-1938 caused by tomcat-embed-core

Open nikita15p opened this issue 1 year ago • 0 comments

org.apache.thrift:libthrift:0.14.2 has dependency on tomcat-embed-core : 8.5.46 which is causing CVE 2020-1938. So added tomcat-embed-core.

Without this change dep tree looks like

[INFO] +- org.apache.thrift:libthrift:jar:0.14.2:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.46:compile
[INFO] |  |  \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.46:compile
[INFO] |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile

With this change, dep tree looks like

[INFO] |  |  +- org.apache.thrift:libthrift:jar:0.14.2:compile
[INFO] |  |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |  |  |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.68:compile
[INFO] |  |  |  |  \- org.apache.tomcat:tomcat-annotations-api:jar:9.0.68:compile
[INFO] |  |  |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile

nikita15p avatar Apr 27 '23 12:04 nikita15p