Confluent Platform 6.1.3 contains security fixes for the following open source packages:
CVE |
CVSS |
Vulnerable Package Version |
Upgraded Package Version |
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress:1.21 |
|
7.5 |
org.apache.commons:commons-compress < 1.21 |
org.apache.commons:commons-compress 1.21 |
|
7.5 |
net.minidev:json-smart < 2.4.5 |
net.minidev:json-smart:2.4.7 and usage evicted in some components |
|
6.1 |
org.hibernate.validator:hibernate-validator < 6.0.18.final |
org.hibernate.validator:hibernate-validator:6.0.19.Final |
|
6.1 |
org.hibernate.validator:hibernate-validator < 6.0.19.final |
org.hibernate.validator:hibernate-validator:6.0.19.Final |
|
5.9 |
Io.netty:netty-codec-http2 < 4.1.61.final |
io.netty:netty-codec-http2:4.1.65.Final trough io.vertx:vertx-core:jar:3.9.8 |
|
5.3 |
org.eclipse.jetty:jetty-webapp < 9.4.43.v20210629 |
org.eclipse.jetty:jetty-webapp:9.4.43.v20210629 |
|
5.3 |
org.apache.httpcomponents.client5: httpclient5 < 5.0.3 |
org.apache.httpcomponents.client5: httpclient5:5.0.3 |
|
5.3 |
org.eclipse.jetty:jetty-servlets < 9.4.41.v20210516 |
org.eclipse.jetty:jetty-servlets:9.4.43.v20210629 |
|
5.3 |
commons-io:commons-io < 2.7 |
commons-io:commons-io:2.7 |
|
3.5 |
org.eclipse.jetty:jetty-server < 9.4.41.v20210516 |
org.eclipse.jetty:jetty-server:9.4.43.v20210629 |
|
3.3 |
com.google.guava:guava < 30.0-jre |
com.google.guava:guava:30.0-jre |
|
This release also contains the following security fixes:
- CVE-2021-38153 (CVSS: 6.8) which is rated as a Medium severity issue by Confluent. More details about this issue are available in this security advisory.
- CONFSA-2021-02 (CVSS: 8.6) which is rated as a High severity issue by Confluent. More information will be provided in an upcoming security advisory once all supported versions have an update available and once coordinated disclosure with impacted third-parties is complete.