zookeeper icon indicating copy to clipboard operation
zookeeper copied to clipboard
verified publisher icon apache

Upgrade Guava to 32.1.3-jre (fix CVE-2023-2976, CVE-2020-8908)

Open guptas6est opened this issue 3 months ago • 1 comments

Summary

This PR upgrades the Guava dependency in zookeeper-contrib-zooinspector from 30.0-jre to 32.1.3-jre.

Motivation

The upgrade addresses the following known vulnerabilities:

  • CVE-2023-2976: Insecure temporary directory creation
  • CVE-2020-8908: Local information disclosure via temporary directory created with unsafe permissions

Details

  • Updated <guava.version> property in zookeeper-contrib-zooinspector/pom.xml to 32.1.3-jre.
  • Ensures continued compatibility with the project while remediating the reported CVEs.
  • Verified build and tests pass successfully after the update.

guptas6est avatar Sep 17 '25 14:09 guptas6est

@eolivelli @li4wang @kezhuw . Please kindly take a look when you have time. Thank you.

guptas6est avatar Oct 17 '25 11:10 guptas6est

Ooops, I was too quick. There's no jira ticket for this patch, but it might be okay given this is a contrib only change.

anmolnar avatar Dec 19 '25 17:12 anmolnar