Vulnerabilities in dependencies of KSQL official container image

[fmulero]

Hi

I have recently analysed the latest release of the 7.8.0 CP-KSQL docker image that is published in your DockerHub image registry with Trivy (a vulnerability and security scanner). The scanner reports a critical vulnerability in several libraries:

$ trivy image  -q --vuln-type library confluentinc/cp-ksqldb-server:7.8.0 -s CRITICAL

Java (jar)

Total: 4 (CRITICAL: 4)

┌───────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│                Library                │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ org.asynchttpclient:async-http-client │ CVE-2024-53990 │ CRITICAL │ fixed  │ 2.12.3            │ 2.12.4, 3.0.1 │ The AsyncHttpClient (AHC) library allows Java applications │
│ (telemetry-client-3.1518.0.jar)       │                │          │        │                   │               │ to easily e ...                                            │
│                                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-53990                 │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
├───────────────────────────────────────┤                │          │        │                   │               │                                                            │
│ org.asynchttpclient:async-http-client │                │          │        │                   │               │                                                            │
│ (confluent-metrics-7.8.0-ce.jar)      │                │          │        │                   │               │                                                            │
│                                       │                │          │        │                   │               │                                                            │
└───────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them?

[fmulero]

New critical CVE has been detected: CVE-2024-52046