Skip to content

suppress CVE check for security fix#11002

Merged
clintropolis merged 1 commit intoapache:masterfrom
clintropolis:suppress-CVE-2020-13936
Mar 17, 2021
Merged

suppress CVE check for security fix#11002
clintropolis merged 1 commit intoapache:masterfrom
clintropolis:suppress-CVE-2020-13936

Conversation

@clintropolis
Copy link
Copy Markdown
Member

@clintropolis clintropolis commented Mar 16, 2021

Suppresses https://nvd.nist.gov/vuln/detail/CVE-2020-13936 which gets triggered by the security check, caused by velocity-engine-core-2.2.jar which is a dependency of Avro and Parquet extensions.

Based on the description:

Applications using Apache Velocity that allow untrusted users to
upload templates should upgrade to version 2.3.  This version adds
additional default restrictions on what methods/properties can be
accessed in a template.

I don't believe we should be impacted.

@clintropolis clintropolis merged commit 694605e into apache:master Mar 17, 2021
@clintropolis clintropolis deleted the suppress-CVE-2020-13936 branch March 17, 2021 01:18
jihoonson pushed a commit that referenced this pull request Mar 25, 2021
@clintropolis @jihoonson
suppress (#11002)
838b2a2
jihoonson pushed a commit to jihoonson/druid that referenced this pull request Apr 14, 2021
@clintropolis @jihoonson
suppress (apache#11002)
3e6d06e
@jihoonson jihoonson mentioned this pull request Apr 14, 2021
Merged
@jihoonson jihoonson added this to the 0.21.0 milestone Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jon-wei jon-wei jon-wei approved these changes

Assignees

No one assigned

Labels

Area - Automation/Static Analysis Area - Dependencies Security

Projects

None yet

Milestone

0.21.0

Development

Successfully merging this pull request may close these issues.

3 participants

@clintropolis @jon-wei @jihoonson