Confluent For Kubernetes patch release version 2.1.3 contains numerous fixes that resolve CVEs in various open-source dependency versions depended upon by Confluent For Kubernetes components. Please note that none of the CVEs were identified to be exploitable in nature, and are only made available to enhance the security hygiene of Confluent software, unless otherwise noted.
The following package upgrades are included in this release version:
Resolved CVEs related to Open-Source Dependencies
CVE |
CVSS |
Vulnerable Package Version |
Upgraded Package Version |
7.5 |
gopkg.in/yaml.v3 < 3.0.0 |
gopkg.in/yaml.v3:v3.0.1 |
|
5.9 |
helm.sh/helm/v3 < 3.5.2 |
helm.sh/helm/v3:v3.9.2 |
|
4.7 |
helm.sh/helm/v3 < 3.5.2 |
helm.sh/helm/v3:v3.9.2 |
|
2.7 |
helm.sh/helm/v3 < 3.5.2 |
helm.sh/helm/v3:v3.9.2 |
|
2.7 |
helm.sh/helm/v3 < 3.5.2 |
helm.sh/helm/v3:v3.9.2 |
|
2.7 |
helm.sh/helm/v3 < 3.5.2 |
helm.sh/helm/v3:v3.9.2 |
|
5.0 |
opencontainers/image-spec <= 1.0.0 |
opencontainers/image-spec: v1.0.3-0.20211202183452-c5a74bcca799 |
|
6.8 |
docker/docker < 20.10.3 |
docker/docker:v20.10.17+incompatible |
|
6.5 |
docker/docker < 20.10.3 |
docker/docker:v20.10.17+incompatible |
|
7.5 |
golang.org/x/crypto/ssh < 0.0.0-20220314234659-1baeb1ce4c0b |
golang.org/x/crypto/ssh:v0.0.0-20220525230936-793ad666bf5e |
|
7.7 |
deislabs/oras < 0.9.0 |
deislabs/oras:Package was removed |
|
8.6 |
helm.sh/helm/v3<3.6.1 |
helm.sh/helm/v3:v3.9.2 |
|
9.8 |
docker/docker<1.5.0 |
docker/docker:v20.10.17+incompatible |
|
7.5 |
docker/docker<1.8.3 |
docker/docker:v20.10.17+incompatible |
|
7.8 |
docker/docker<=1.4.1 |
docker/docker:v20.10.17+incompatible |
|
5.5 |
docker/docker<=1.8.3 |
docker/docker:v20.10.17+incompatible |
|
9.1 |
emicklei/go-restful<2.16.0 |
emicklei/go-restful:v2.16.0+incompatible |
|
7.5 |
containerd/containerd<1.4.13 |
containerd/containerd:v1.6.6 |
|
5.5 |
containerd/containerd<1.5.13 |
containerd/containerd:v1.6.6 |
|
7.5 |
go<1.17.9 |
go:1.17.12 |
|
7.5 |
go<1.17.9 |
go:1.17.12 |
|
5.3 |
go<1.17.10 |
go:1.17.12 |
|
7.5 |
jackson-databind<2.12.6.1 |
jackson-databind:2.13.2.2 |