ZOOKEEPER-4932: The newest version of zookeeper includes Jetty versiob 9.4.57.x which has CVE-2024-6763 issue

anmolnar · kezhuw · web-flow · commit 06b418b62d28 · 2025-08-01T16:35:51.000-05:00
ZOOKEEPER-4932: Put back accidentally removed owasp suppression Update owaspSuppressions.xml Co-authored-by: Kezhu Wang <kezhuw@gmail.com> Reviewers: kezhuw Author: anmolnar Closes #2288 from anmolnar/ZOOKEEPER-4932
diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
@@ -18,6 +18,23 @@
 -->
 
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+   <suppress>
+      <!--
+         We have updated jetty[1] to 9.4.57.v20241219[2] which includes a fix[3] for CVE-2024-6763[4].
+         But it is not listed as fixed version since 9.x is EOL[5]. So we still have to suppress this
+         to pass vulnerabilities check. Besides above, ZooKeeper does not use HttpURI[6] thus should
+         not be affected by this CVE anyway.
+
+         Refs:
+         [1]: https://github.com/apache/zookeeper/pull/2220
+         [2]: https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219
+         [3]: https://github.com/jetty/jetty.project/pull/12532
+         [4]: https://github.com/advisories/GHSA-qh8g-58pp-2wxh
+         [5]: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611
+         [6]: https://issues.apache.org/jira/browse/ZOOKEEPER-4876
+      -->
+      <cve>CVE-2024-6763</cve>
+   </suppress>
    <suppress>
       <!-- ZOOKEEPER-3217 -->
       <cve>CVE-2018-8088</cve>
