Security Vulnerabilities - CVE-2020-7692 CVE-2021-27568 CVE-2022-21724

We did a security scan on our druid cluster which is on version 0.22.1 and found the following vulnerabilites:

  • com.google.oauth-client:google-oauth-client|1.26.0|CVE-2020-7692|CRITICAL|google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper
    authorization

  • net.minidev:json-smart|1.3.1|CVE-2021-27568|CRITICAL|json-smart: uncaught exception may lead to crash or information disclosure

  • org.postgresql:postgresql|42.2.14|CVE-2022-21724|CRITICAL|jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes

  • org.apache.spark:spark-core_2.11|2.4.3|CVE-2018-17190|CRITICAL|Low severity vulnerability that affects org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11

Any plans on fixing these critical security vulnerabilities?

In addition there are these severe but less critical vulnerabilities:

CVE-2020-36518
CVE-2020-9492
CVE-2020-13936
CVE-2021-44878

Have you reported a security vulnerability?

I just reported the issues