You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "James Busche (Jira)" <ji...@apache.org> on 2022/07/21 16:19:00 UTC

[jira] [Created] (FLINK-28637) High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar

James Busche created FLINK-28637:
------------------------------------

             Summary: High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
                 Key: FLINK-28637
                 URL: https://issues.apache.org/jira/browse/FLINK-28637
             Project: Flink
          Issue Type: Bug
          Components: Kubernetes Operator
    Affects Versions: kubernetes-operator-1.1.0
            Reporter: James Busche


I noticed a high vulnerability in the flink-kubernetes-operator-1.1.0-shaded.jar file.

=======

cvss: 7.5

riskFactors: Has fix,High severity

cve: PRISMA-2022-0239    

link: https://github.com/square/okhttp/issues/6738

status: fixed in 4.9.2

packagePath: /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar

description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are vulnerable for sensitive information disclosure. An illegal character in a header value will cause IllegalArgumentException which will include full header value. This applies to Authorization, Cookie, Proxy-Authorization and Set-Cookie headers. 

=======

It looks like we're using version 3.12.12, and there's no plans to provide this fix for the 3.x version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)