Suppress CVEs (#14648)

CVE-2023-34462 - (Allows malicious allocation of resources without throttling) Not applicable as the Netty requests in Druid are internal, and not user facing.
CVE-2016-2402 - (Man in the middle with okhttp by sending certificate chains) Not applicable as okhttp requests in Druid are also internal
This commit is contained in:
AmatyaAvadhanula 2023-07-25 13:37:50 +05:30 committed by GitHub
parent 2f9619a96f
commit 6566bda57c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions

View File

@ -230,6 +230,7 @@
<cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq --> <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
<cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q --> <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor forward them to remote systems, we also don't support for java 6 or lower - https://github.com/advisories/GHSA-269q-hmxg-m83q -->
<cve>CVE-2022-41881</cve> <cve>CVE-2022-41881</cve>
<cve>CVE-2023-34462</cve> <!-- Suppressed since netty requests in Druid are internal, and not user-facing -->
</suppress> </suppress>
<suppress> <suppress>
<!-- TODO: Fix by upgrading hadoop-auth version --> <!-- TODO: Fix by upgrading hadoop-auth version -->
@ -688,6 +689,7 @@
file name: okhttp-*.jar file name: okhttp-*.jar
]]></notes> ]]></notes>
<cve>CVE-2021-0341</cve> <cve>CVE-2021-0341</cve>
<cve>CVE-2016-2402</cve> <!-- Suppressed since okhttp requests in Druid are internal, and not user-facing -->
</suppress> </suppress>
<suppress> <suppress>