Skip to content
This repository was archived by the owner on Mar 12, 2024. It is now read-only.
This repository was archived by the owner on Mar 12, 2024. It is now read-only.

Potential security vulnerability in the zstd C library.Can you help upgrade to patch versions? #48

Description

@HelenParr

Hi, @alappin-r7, @camci-r7 , I'd like to report a vulnerability issue in com.rapid7:armor-read:0.0.52.

Issue Description

I noticed that com.rapid7:armor-read:0.0.52 directly depends on com.github.luben:zstd-jni:v1.3.5-4 in the pom. However, as shown in the following dependency graph, com.github.luben:zstd-jni:v1.3.5-4 sufferes from the vulnerabilites which the C library zstd(version:1.3.5) exposed: CVE-2021-24031, CVE-2019-11922.

Dependency Graph between Java and Shared Libraries

image (12)

Suggested Vulnerability Patch Versions

com.github.luben:zstd-jni:v1.4.9-1 (>=v1.4.9-1) has upgraded this vulnerable C library zstd to the patch version 1.4.9.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
By the way, same issue seems also occurs in the com.rapid7:armor-write:0.0.52.

Thanks for your help~
Best regards,
Helen Parr

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions