Confluent Platform 6.1.2 contains security fixes for the following open source packages:
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor - CVE-2020-28491 (CVSS: 7.5)
The vulnerability is addressed in versions 2.11.4, 2.12.1 of jackson-dataformat-cbor. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 2.11.4.
org.eclipse.jetty:jetty-io - CVE-2021-28165 (CVSS: 7.5)
The vulnerability is addressed in version 9.4.39.v20210325 of jetty-io. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 9.4.40.v20210413.
org.glassfish.jersey.core:jersey-common - CVE-2021-28168 (CVSS: 5.5)
The vulnerability is addressed in version 3.0.2 and 2.34 of jersey-common. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 2.34.
org.eclipse.jetty:jetty-io - CVE-2021-28163 (CVSS: 2.7)
The vulnerability is addressed in version 9.4.39 of jetty-io. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 9.4.40.v20210413.
net.minidev:json-smart - CVE-2021-27568 (CVSS: 9.1)
The vulnerability is addressed in versions 2.4.1 of json-smart. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 2.4.2.
org.eclipse.jetty:jetty-webapp - CVE-2021-28164
(CVSS: 5.3) The vulnerability is addressed in version 9.4.39 of jetty-webapp. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 9.4.40.v20210413.
io.netty:netty-codec-http2 - CVE-2021-21295 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.60.Final of netty-codec-http2. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 4.1.60.Final.
io.netty:netty-codec-http - CVE-2021-21290 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.59.Final of netty-codec-http. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 4.1.60.Final.
org.simpleframework:simple-xml - CVE-2017-1000190 (CVSS: 9.1)
The vulnerability is not addressed in any version. Confluent Platform 6.1.2 has resolved this by removing it because it is introduced from transitive dependency and not used by Confluent.
io.vertx:vertx-core - CVE-2019-17640 (CVSS: 9.8)
The vulnerability is addressed in version 3.9.4 of vertx-core. Confluent Platform has resolved this CVE in release 6.1.2 by upgrading to version 3.9.7.