rest-utils uses vulnerable version of hibernate-validator

[pavel-sbor]

Description
I checked confluent kafka 5.5.1 distribution with WhiteSource and find out that rest-utils uses vulnerable library:

• hibernate-validator-6.0.17.Final.jar has CVE-2019-10219 and CVE-2020-10693 vulnerabilities. The way to fix it is to upgrade to org.hibernate.validator:hibernate-validator:6.0.20.Final

To Reproduce
Download Confluent Kafka 5.5.1 distribution (for example curl -O http://packages.confluent.io/archive/5.5/confluent-community-5.5.1-2.12.tar.gz)
Open share/java/rest-utils folder in it and find hibernate-validator-6.0.17.Final.jar

Expected behavior

• hibernate-validator upgraded to 6.0.20.Final or higher

Actual behaviour

• hibernate-validator is 6.0.17.Final

[dongjinleekr]

Manikumar Reddy (@omkreddy) It seems like this issue is alread fixed - the current hibernate validator version is 6.1.7.Final.

[ewencp]

Yes, this looks like it's made it onto 5.4.x and newer #224. Note that 5.5.1 is not the latest bugfix release on the 5.5.x line anymore, but was at the time of the report. At the moment, a newer 5.5.x release has not been produced, but there are releases in the 6.x set of release lines that do contain the fix.

[janjwerner-confluent]

Pavel,
Thank you for raising this issue. We are investigating this as a possible regression.

[janjwerner-confluent]

The latest release of 5.5 version (5.5.12) ships with the updated hibernate-validator version: 6.1.7.Final.