[Bug] Elasticsearch Java version has a vulnerability CVE-2023-46673, CVE-2023-46674, CVE-2023-31419, CVE-2023-31417, CVE-2023-31418

[nikhil-ctds]

Search before asking

• [X] I searched in the issues and found nothing similar.

Version

For pulsar version: 3.1.2 on branch: branch-3.1 facing moderate vulnerability CVE-2023-46673, CVE-2023-46674, CVE-2023-31419, CVE-2023-31417, CVE-2023-31418, related to packages:

• org.elasticsearch:elasticsearch
• org.elasticsearch:elasticsearch-hadoop
• co.elastic.clients:elasticsearch-java

Below is the versions available in pulsar -

• <elasticsearch-java.version>8.5.2</elasticsearch-java.version>

Maven Dependency

• pulsar - org.apache.pulsar 3.1.2

Minimal reproduce step

Run Pulsar CI workflow on pulsar branch - branch-3.1

What did you expect to see?

Expected to pass the OWASP dependency check under Pulsar CI workflow.

What did you see instead?

Vulnerability

 Error:  Failed to execute goal org.owasp:dependency-check-maven:8.2.1:aggregate (default) on project pulsar: 
 Error:  
 Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
 Error:  
 Error:  elasticsearch-java-8.5.2.jar: CVE-2023-46673(7.5), CVE-2023-46674(7.8), CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
 Error:  elasticsearch-rest-client-8.5.2.jar: CVE-2023-46673(7.5), CVE-2023-46674(7.8), CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)

Anything else?

No response

Are you willing to submit a PR?

• [ ] I'm willing to submit a PR!