Apache Gobblin security advisories

Security information for Apache Gobblin

Reporting

Do you want disclose a potential security issue for Apache Gobblin? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Insecure TrustManager used in LDAP connections

CVE-2021-36152 [CVE] [CVE json] [OSV json]

Last updated: 2022-02-03T18:26:12.111Z

Affected

  • Apache Gobblin from Apache Gobblin through 0.15.0

Description

Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue.

References

Credits

  • Apache Gobblin would like to thank Simon Gerst for reporting this issue.

Local Credentials Disclosure Vulnerability

CVE-2021-36151 [CVE] [CVE json] [OSV json]

Last updated: 2022-02-03T18:29:46.145Z

Affected

  • Apache Gobblin from Apache Gobblin through 0.15.0

Description

In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue.

References

Credits

  • Apache Gobblin would like to thank Jonathan Leitschuh for reporting this issue.