Done
Details
Details
Assignee
Unassigned
UnassignedReporter
Denis
Denis
Priority
P2RCA Group
TBD
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created November 1, 2023 at 8:59 PM
Updated May 23, 2024 at 3:51 PM
Resolved May 23, 2024 at 3:51 PM
Severity: High
Vulnerability: Missing upper bound check on chunk length – DoS
https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
https://nvd.nist.gov/vuln/detail/CVE-2023-43642
Fix in snappy-java 1.1.10.4.
The minimum kafka-clients version with the fix is kafka-clients 3.5.2.
Modules impacted:
mod-entities-links Spitfire - fix: v2.0.2
mod-search Spitfire - fix: v3.0.2
mod-remote-storage Volaris - fix: v3.0.0
Module
Poppy
(module version - kafka-clients version)
Quesnelia
(module version - kafka-clients version)
mod-data-export-spring
3.0.4 - 3.6.1
3.2.0 - 3.6.1
mod-dcb
1.0.0 - 3.4.0
1.1.0 - 3.6.0
mod-entities-links
2.0.5 - 3.4.1
3.0.0 - 3.6.1
mod-inventory-storage
27.0.5 - 3.0.2
27.1.0 - 3.5.0
mod-pubsub
2.11.3 - 3.6.0
2.13.0 - 3.6.0
mod-remote-storage
3.0.1 - 3.5.1
3.2.0 - 3.6.1
mod-search
3.0.6 - 3.5.1
3.2.0 - 3.6.1
mod-source-record-manager
3.7.9 - 3.6.0
3.8.0 - 3.6.0
mod-source-record-storage
5.7.6 - 3.6.0
5.7.0 - 3.6.0
Not affected: mod-circulation-item 1.0.0 because it no longer uses Kafka.