celeborn-0.6/0.6.1-r0: cve remediation#69882
Closed
octo-sts[bot] wants to merge 1 commit into
Closed
Octo STS / ci-cve-scan
failed
Oct 23, 2025 in 39s
CVE scan report (mode: must-fix)
CVE scan report (mode: must-fix)
Details
CVE Scan Results (mode: must-fix)
⚠️ Must-Fix CVEs Found
The following CVEs were marked as must-fix in the PR body:
- GHSA-prj3-ccx8-p6x4 (found in: aarch64/celeborn-0.6-0.6.1-r1.apk, x86_64/celeborn-0.6-0.6.1-r1.apk)
This check will fail until these CVEs are resolved.
aarch64/celeborn-0.6-0.6.1-r1.apk
├── 📄 /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar
│ 📦 commons-lang3 3.17.0 (java-archive)
│ Medium CVE-2025-48924 GHSA-j288-q9x7-2f5v fixed in 3.18.0
│ 📦 jackson-core 2.12.7 (java-archive)
│ High CVE-2025-52999 GHSA-h46c-h94j-95f3 fixed in 2.15.0
│ Medium CVE-2025-49128 GHSA-wf8f-6423-gfxg fixed in 2.13.0
│ 📦 jetty-http 9.4.57.v20241219 (java-archive)
│ Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
│ 📦 nimbus-jose-jwt 9.37.2 (java-archive)
│ Medium CVE-2025-53864 GHSA-xwmg-2g98-w7v9 fixed in 9.37.4
├── 📄 /usr/share/java/celeborn/jars/jetty-http-9.4.58.v20250814.jar
│ 📦 jetty-http 9.4.58.v20250814 (java-archive)
│ Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
└── 📄 /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar
📦 netty-codec 4.1.119.Final (java-archive)
Medium CVE-2025-58057 GHSA-3p8m-j85q-pgmj fixed in 4.1.125.Final
📦 netty-codec-http 4.1.119.Final (java-archive)
Low CVE-2025-58056 GHSA-fghv-69vj-qj49 fixed in 4.1.125.Final
📦 netty-codec-http2 4.1.119.Final (java-archive)
High CVE-2025-55163 GHSA-prj3-ccx8-p6x4 fixed in 4.1.124.Final
aarch64/celeborn-0.6-compat-0.6.1-r1.apk
✅ No vulnerabilities found
x86_64/celeborn-0.6-0.6.1-r1.apk
├── 📄 /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar
│ 📦 commons-lang3 3.17.0 (java-archive)
│ Medium CVE-2025-48924 GHSA-j288-q9x7-2f5v fixed in 3.18.0
│ 📦 jackson-core 2.12.7 (java-archive)
│ High CVE-2025-52999 GHSA-h46c-h94j-95f3 fixed in 2.15.0
│ Medium CVE-2025-49128 GHSA-wf8f-6423-gfxg fixed in 2.13.0
│ 📦 jetty-http 9.4.57.v20241219 (java-archive)
│ Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
│ 📦 nimbus-jose-jwt 9.37.2 (java-archive)
│ Medium CVE-2025-53864 GHSA-xwmg-2g98-w7v9 fixed in 9.37.4
├── 📄 /usr/share/java/celeborn/jars/jetty-http-9.4.58.v20250814.jar
│ 📦 jetty-http 9.4.58.v20250814 (java-archive)
│ Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
└── 📄 /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar
📦 netty-codec 4.1.119.Final (java-archive)
Medium CVE-2025-58057 GHSA-3p8m-j85q-pgmj fixed in 4.1.125.Final
📦 netty-codec-http 4.1.119.Final (java-archive)
Low CVE-2025-58056 GHSA-fghv-69vj-qj49 fixed in 4.1.125.Final
📦 netty-codec-http2 4.1.119.Final (java-archive)
High CVE-2025-55163 GHSA-prj3-ccx8-p6x4 fixed in 4.1.124.Final
x86_64/celeborn-0.6-compat-0.6.1-r1.apk
✅ No vulnerabilities found
Loading