[Bug] Alluxio version has a vulnerability CVE-2023-38889

[nikhil-ctds]

Search before asking

• [X] I searched in the issues and found nothing similar.

Version

For pulsar version: 3.1.2 on branch: branch-3.1 facing critical vulnerability CVE-2023-38889 related to packages:

• org.alluxio:alluxio-parent
• org.alluxio:alluxio-core-client-fs

Below is the versions available in pulsar -

• <alluxio.version>2.7.3</alluxio.version>

Maven Dependency

• pulsar - org.apache.pulsar 3.1.2

Minimal reproduce step

Run Pulsar CI workflow on pulsar branch - branch-3.1

What did you expect to see?

Expected to pass the OWASP dependency check under Pulsar CI workflow.

What did you see instead?

Vulnerability

 Error:  Failed to execute goal org.owasp:dependency-check-maven:8.2.1:aggregate (default) on project pulsar: 
 Error:  
 Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
 Error:  
 Error:  alluxio-core-common-2.7.3.jar: CVE-2023-38889(9.8)

Anything else?

No response

Are you willing to submit a PR?

• [ ] I'm willing to submit a PR!

[hpvd]

see also ongoing discussion https://github.com/apache/pulsar/discussions/19093#discussioncomment-9360551 and upvote it if you also think this is important.