CVE-2023-44981 for zookeeper version

[dkirrane]

In what version(s) of Spring for Apache Kafka are you seeing this issue?

3.0.12

Describe the bug

Blackduck is reporting https://nvd.nist.gov/vuln/detail/CVE-2023-44981
It looks like this is a result of us pulling in an older ZooKeeper org.apache.zookeeper:zookeeper:3.6.3
Could this ZooKeeper version be updated to remove the CVE?

[artembilan]

Spring for Apache Kafka manages org.apache.zookeeper:zookeeper only for spring-kafka-test module:

project ('spring-kafka-test') {
...
		api ("org.apache.zookeeper:zookeeper:$zookeeperVersion") {
			exclude group: 'org.slf4j', module: 'slf4j-log4j12'
			exclude group: 'log4j'
		}

You vulnerability report is false positive since test dependencies cannot affect a production code where exploit is possible.

Sure! We can look into upgrading even that test dependency in the latest our version.
But that 3.0.x branch cannot be upgraded since, according to the CVE you share, they didn't fix their 3.6.x generation.

[garyrussell]

We should probably make zookeeper an optionalApi in 3.1.x because KRaft mode is now the default for the embedded broker.