ksql
ksql copied to clipboard
confluentinc
Vulnerabilities in dependencies of KSQL official container image
Hi
I have recently analysed the latest release of the 7.8.0 CP-KSQL docker image that is published in your DockerHub image registry with Trivy (a vulnerability and security scanner). The scanner reports a critical vulnerability in several libraries:
$ trivy image -q --vuln-type library confluentinc/cp-ksqldb-server:7.8.0 -s CRITICAL
Java (jar)
Total: 4 (CRITICAL: 4)
┌───────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ org.asynchttpclient:async-http-client │ CVE-2024-53990 │ CRITICAL │ fixed │ 2.12.3 │ 2.12.4, 3.0.1 │ The AsyncHttpClient (AHC) library allows Java applications │
│ (telemetry-client-3.1518.0.jar) │ │ │ │ │ │ to easily e ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-53990 │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├───────────────────────────────────────┤ │ │ │ │ │ │
│ org.asynchttpclient:async-http-client │ │ │ │ │ │ │
│ (confluent-metrics-7.8.0-ce.jar) │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└───────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them?
Thank you for raising those issues. They have been addressed in the scheduled quarterly patch releases.
