From this webpage screenshot, the following key information about the vulnerability can be obtained: - **Pull Request #8878**: Used to fix security vulnerabilities. - **Fixed Issues**: #4798 and #6347. - **Description**: Security vulnerabilities resolved by upgrading third-party libraries, including: - `avro-ipc` upgraded to 1.9.1 (Sonatype-2019-0915) - `caffeine` upgraded to 2.8.0 (Sonatype-2019-0928) - `commons-beanutils` upgraded to 1.9.4 (CVE-2014-0114, Sonatype-2012-0050) - `commons-codec` upgraded to 1.13 (CVE-2018-12402) - `commons-compress` upgraded to 1.19 (CVE-2018-17767) - `hadoop-common` upgraded to 2.8.5 (CVE-2018-17767) - `hadoop-mapreduce-client-core` upgraded to 2.8.5 (CVE-2018-3106) - `hibernate-validator` upgraded to 5.2.5 (CVE-2017-7536) - `httpclient` upgraded to 4.5.10 (Sonatype-2017-0339) - `icu4j` upgraded to 55.1 (CVE-2014-8147) - `jackson-databind` upgraded to 2.6.7.3 (CVE-2017-7545) - `jetty-http` upgraded to 9.4.12 (CVE-2017-7657, CVE-2017-7658, CVE-2017-7656, CVE-2018-12545) - `log4j-core` upgraded to 2.8.2 (CVE-2017-5645, CVE-2015-2110) - `netty-common` upgraded to 4.1.42 (CVE-2019-9518) - `netty-codec-http` upgraded to 4.1.42 (CVE-2019-16869) - `nimbus-jose-jwt` upgraded to 4.41.1 (CVE-2017-12972, CVE-2017-12974) - `plexus-utils` upgraded to 3.0.24 (CVE-2017-1000487, Sonatype-2015-0173, Sonatype-2016-0398) - `postgresql` upgraded to 42.2.8 (CVE-2018-10936) - **Note**: If users are using JDBC to look up PostgreSQL, they may need to update the JDBC jar used by the lookup extension. - **PR Status**: - Self-reviewed - Documentation added for new features or behavioral changes - Version, license, or notice information updated or added - Comments added explaining the "why" and intent of the code - Tested in a Druid cluster