kafka-connect-storage-common icon indicating copy to clipboard operation
kafka-connect-storage-common copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Version of commons.io used has a high-severity vulnerability

Open kjohn1922 opened this issue 3 years ago • 1 comments

Found when scanning an image with JFrog XRAY that pulls in kafka-connect-storage-common.

XRAY-125253 Severity: High Type: Security Summary: Apache Commons IO input/InfiniteCircularInputStream.java InfiniteCircularInputStream::read() Function Buffer Handling Divide-by-zero DoS Description: Apache Commons IO contains a divide-by-zero condition in the InfiniteCircularInputStream::read() function in input/InfiniteCircularInputStream.java that is triggered when the input buffer is of size 0. This may allow a context-dependent attacker to crash a process linked against the library. Version: 2.7 Fix version: 2.8.0

https://issues.apache.org/jira/browse/IO-675

kafka-connect-storage-common is using version 2.7 of commons.io, as seen here: https://github.com/confluentinc/kafka-connect-storage-common/blob/master/pom.xml#L70

Solution: Upgrade dependency version to 2.8.0 or later.

kjohn1922 avatar Sep 01 '22 17:09 kjohn1922

Thank you for bringing this to our attention.

janjwerner-confluent avatar Oct 26 '22 23:10 janjwerner-confluent