Confluent Platform 6.0.3 contains security fixes for the following open source packages:
urllib3 - CVE-2021-28363 (CVSS: 6.5)
The vulnerability is addressed in version 1.26.4 of urllib3. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 1.26.5.
commons-httpclient:commons-httpclient/org.apache.httpcomponents:httpclient - CVE-2020-13956 (CVSS: 5.3)
The vulnerability is addressed in version 4.5.13 of commons-httpclient/httpclient. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 4.15.13.
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor - CVE-2020-28491 (CVSS: 7.5)
The vulnerability is addressed in version 2.11.4 of jackson-dataformat-cbor. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 2.11.4.
org.glassfish.jersey.core:jersey-common - CVE-2021-28168 (CVSS: 5.5)
The vulnerability is addressed in version 2.34 of jersey-common. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 2.34.
org.eclipse.jetty:jetty-server - CVE-2020-27218 (CVSS: 4.8)
The vulnerability is addressed in version 9.4.35.v20201120 of jetty-server. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 9.4.40.v20210413.
org.eclipse.jetty:jetty-server - CVE-2020-27223 (CVSS: 5.3)
The vulnerability is addressed in version 9.4.37.v20210219 of jetty-server. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 9.4.40.v20210413.
org.eclipse.jetty:jetty-io - CVE-2021-28163 (CVSS: 2.7)
The vulnerability is addressed in version 9.4.39 of jetty-io. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 9.4.40.v20210413.
org.eclipse.jetty:jetty-io - CVE-2021-28165 (CVSS: 7.5)
The vulnerability is addressed in version 9.4.39 of jetty-io. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 9.4.40.v20210413.
org.eclipse.jetty:jetty-webapp - CVE-2021-28164 (CVSS: 5.3)
The vulnerability is addressed in version 9.4.39 of jetty-webapp. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 9.4.40.v20210413.
Io.netty:netty-http2 - CVE-2021-21295 (CVSS: 5.9)
The vulnerability is addressed in version 4.1.60.final of netty-http2. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 4.1.60.Final and 4.1.63.Final.
io.netty:netty-codec-http - CVE-2021-21290 (CVSS: 5.5)
The vulnerability is addressed in version 4.1.59.final of netty-codec-http. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 4.1.60.Final and 4.1.63.Final.
io.vertx:vertx-core - CVE-2019-17640 (CVSS: 9.8)
The vulnerability is addressed in version 3.9.4 of vertx-core. Confluent Platform has resolved this CVE in release 6.0.3 by upgrading to version 3.9.7.
Confluent Platform 6.0.3 also contains the following security fix:
- CONFSA-2021-01 (CVSS: 4.9) which is rated as a medium severity issue by Confluent. More information will be provided in an upcoming security advisory once all supported versions have an update available.