ekuiper icon indicating copy to clipboard operation
ekuiper copied to clipboard
verified publisher icon lf-edge

The latest ekuiper v.1.14.2 has a high severity vulnerability [CVE-2024-28180]

Open mark-miller-dev opened this issue 1 year ago • 2 comments

The latest Ekuiper version v.1.14.2 has a high severity vulnerability [CVE-2024-28180] [gopkg.in/square/go-jose.v2] [v2.6.0] which is release blocker for our project. The recommended fixed version >=2.6.3 ("This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3."(c)) E.g, the resource - https://github.com/go-jose/go-jose/tree/v2.6.3, the dependency - github.com/go-jose/go-jose/v2 v2.6.3

Could you please make this upgrade in the Ekuiper's go.mod?

Thanks,Mark

mark-miller-dev avatar Aug 25 '24 06:08 mark-miller-dev

Hi @mark-miller-dev :

ekuiper introduced gopkg.in/square/go-jose.v2 v2.6.0 // indirect by github.com/openziti/sdk-golang v0.23.37, so we need the latest github.com/openziti/sdk-golang upgrade go-jose to v2.6.3

Yisaer avatar Aug 26 '24 04:08 Yisaer

Hi @mark-miller-dev, @Yisaer, I see the corresponding PR is already open in openziti's repo a 2 weeks ago: https://github.com/zitadel/oidc/pull/630 for the issue https://github.com/openziti/sdk-golang/issues/607, but still not merged

OlgasAcc avatar Aug 26 '24 06:08 OlgasAcc

Fixed! thanks, guys

mark-miller-dev avatar Sep 18 '24 09:09 mark-miller-dev