The latest version of logstash 8.12.0. Reports vulnerable

How to fix vulnerabilities in the maven-core-3.3.9.jar, maven-compat-3.3.9.jar and derby-10.14.1.0.jar. This is reported vulnerable in the latest Logstash package?

DetailedName
org.apache.maven:maven-core 3.3.9
org-apache.maven:maven-compatible 3.3.9
org-apache.derby:derby 10.14.1.0

I need to upgrade the above with latest? Could you please help me with the steps?

1 Like

I do not think you can upgrade those yourself, you need Elastic to do it. There has been an issue for 5 months on github that mentions all three of these here.

Elastic ask that folks report security issues via email. Not via the forums, not via github. Apparently they even have a bug bounty program for demonstrable security issues.

Thank you @Badger