You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to security policies Confluent requires all connector updates to not have any CRITICAL or HIGH level CVEs present unless signed off as a false positive or non exploitable; and any existing listings to have CVEs actioned within a set timescale. As the current version on the Confluent Hub (2.10.0) has a longstanding HIGH CVE we will require these changes to be actioned or risk the removal of the listing from the Confluent Hub
Describe the bug
The following vulnerabilities are detected on the latest release of this connector:
GHSA-xpw8-rcwv-8f8p - netty-codec-http2-4.1.89.Final.jar
https://avd.aquasec.com/nvd/cve-2023-34054 - reactor-netty-http-1.0.28.jar
https://avd.aquasec.com/nvd/cve-2023-34062
https://avd.aquasec.com/nvd/cve-2023-39410 - avro-1.11.1.jar
https://avd.aquasec.com/nvd/cve-2023-5072 - json-20230618.jar
Due to security policies Confluent requires all connector updates to not have any CRITICAL or HIGH level CVEs present unless signed off as a false positive or non exploitable; and any existing listings to have CVEs actioned within a set timescale. As the current version on the Confluent Hub (2.10.0) has a longstanding HIGH CVE we will require these changes to be actioned or risk the removal of the listing from the Confluent Hub
To Reproduce
Run a vulnerability scan using a tool like Trivy https://github.com/aquasecurity/trivy
Expected behavior
No CRITICAL or HIGH vulnerabilities should be detected
The text was updated successfully, but these errors were encountered: