Confluent Platform 6.1.1 contains security fixes for the following open source packages:
jinja2 - CVE-2020-28493 (CVSS: 5.3).
The vulnerability is addressed in version 2.11.3 of jinja2. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 2.11.3.
urllib3 - CVE-2021-28363 (CVSS: 6.5).
The vulnerability is addressed in version 1.26.4 of urllib3. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 1.26.4.
cryptography - CVE-2020-36242 (CVSS: 9.1).
The vulnerability is addressed in version 3.3.2 of cryptography. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 3.4.6.
org.eclipse.jetty:jetty-server - CVE-2020-27218 (CVSS: 4.8).
The vulnerability is addressed in version 9.4.35 of jetty-server. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 9.4.38.v20210224.
org.eclipse.jetty:jetty-server - CVE-2020-27223 (CVSS: 5.3).
The vulnerability is addressed in version 9.4.36 of jetty-server. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 9.4.38.v20210224.
kotlin-stdlib:kotlin-stdlib - CVE-2020-29582 (CVSS: 5.3).
The vulnerability is addressed in version 1.4.21 of kotlin-stdlib. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 1.4.21.
org.apache.httpcomponents:httpclient - CVE-2020-13956 (CVSS: 5.3).
The vulnerability is addressed in versions 5.0.3 and 4.5.13 of httpcomponents:httpclient. Confluent Platform has resolved this CVE in release 6.1.1 by upgrading to version 4.5.13.
Confluent Platform 6.1.1 also contains the following security fixes:
- CONFSA-2021-01 (CVSS: 4.9) which is rated as a medium severity issue by Confluent. More information will be provided in an upcoming security advisory once all supported versions have an update available.