You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "XuCongying (Jira)" <ji...@apache.org> on 2020/03/01 13:45:00 UTC
[jira] [Created] (FLINK-16356) Some dependencies contain CVEs
XuCongying created FLINK-16356:
----------------------------------
Summary: Some dependencies contain CVEs
Key: FLINK-16356
URL: https://issues.apache.org/jira/browse/FLINK-16356
Project: Flink
Issue Type: Bug
Reporter: XuCongying
I found your project used some dependencies that contain CVEs. To prevent potential risk it may cause, I suggest a library update. The following is a detailed content.
Vulnerable Library Version: com.squareup.okhttp3 : okhttp : 3.7.0
CVE ID: [CVE-2018-20200](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20200)
Import Path: flink-metrics/flink-metrics-datadog/pom.xml, flink-end-to-end-tests/flink-end-to-end-tests-common/pom.xml, flink-end-to-end-tests/flink-metrics-reporter-prometheus-test/pom.xml, flink-runtime/pom.xml
Suggested Safe Versions: 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 4.0.0, 4.0.0-RC1, 4.0.0-RC2, 4.0.0-RC3, 4.0.0-alpha01, 4.0.0-alpha02, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0
Vulnerable Library Version: com.google.guava : guava : 18.0
CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
Import Path: flink-connectors/flink-connector-kinesis/pom.xml, flink-connectors/flink-connector-cassandra/pom.xml
Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
Vulnerable Library Version: org.apache.hive : hive-exec : 1.2.1
CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-exec : 2.0.0
CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-exec : 1.1.0
CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-exec : 2.1.1
CVE ID: [CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-exec : 1.0.1
CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-exec : 2.2.0
CVE ID: [CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.11.0.2
CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288), [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
Import Path: flink-connectors/flink-connector-kafka-0.11/pom.xml
Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.10.2.1
CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288)
Import Path: flink-connectors/flink-connector-kafka-0.10/pom.xml, flink-connectors/flink-connector-kafka-base/pom.xml
Suggested Safe Versions: 0.10.2.2, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
Vulnerable Library Version: org.apache.logging.log4j : log4j-api : 2.7
CVE ID: [CVE-2017-5645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
Import Path: flink-connectors/flink-connector-elasticsearch5/pom.xml
Suggested Safe Versions: 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.8.2, 2.9.0, 2.9.1
Vulnerable Library Version: org.apache.logging.log4j : log4j-core : 2.7
CVE ID: [CVE-2019-17571](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571), [CVE-2017-5645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
Import Path: flink-connectors/flink-connector-elasticsearch5/pom.xml
Suggested Safe Versions: 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.8.2, 2.9.0, 2.9.1
Vulnerable Library Version: org.apache.kafka : kafka-clients : 0.10.2.1
CVE ID: [CVE-2017-12610](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610)
Import Path: flink-connectors/flink-connector-kafka-0.10/pom.xml, flink-connectors/flink-connector-kafka-base/pom.xml
Suggested Safe Versions: 0.10.2.2, 0.11.0.2, 0.11.0.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.10
CVE ID: [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201)
Import Path: flink-runtime/pom.xml
Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7
Vulnerable Library Version: org.apache.hadoop : hadoop-common : 3.1.0
CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
Import Path: flink-filesystems/flink-s3-fs-base/pom.xml, flink-filesystems/flink-fs-hadoop-shaded/pom.xml
Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.5
CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
Import Path: flink-table/flink-sql-client/pom.xml
Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.4.1
CVE ID: [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
Import Path: flink-connectors/flink-connector-filesystem/pom.xml, flink-yarn/pom.xml, flink-yarn-tests/pom.xml, flink-fs-tests/pom.xml, flink-filesystems/flink-hadoop-fs/pom.xml
Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
Vulnerable Library Version: org.apache.orc : orc-core : 1.4.3
CVE ID: [CVE-2018-8015](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8015)
Import Path: flink-connectors/flink-connector-hive/pom.xml, flink-formats/flink-orc/pom.xml
Suggested Safe Versions: 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2
Vulnerable Library Version: org.apache.commons : commons-compress : 1.18
CVE ID: [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
Import Path: flink-core/pom.xml
Suggested Safe Versions: 1.19, 1.20
Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.1.0
CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.2.1
CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.0.1
CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-metastore : 1.1.0
CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-metastore : 1.2.1
CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-metastore : 1.0.1
CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: com.rabbitmq : amqp-client : 4.2.0
CVE ID: [CVE-2018-11087](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11087)
Import Path: flink-connectors/flink-connector-rabbitmq/pom.xml
Suggested Safe Versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0
Vulnerable Library Version: org.apache.hive : hive-service : 1.1.0
CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2015-1772](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1772)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-service : 1.0.1
CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-service : 1.2.1
CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
Vulnerable Library Version: org.apache.hive : hive-service : 2.0.0
CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083)
Import Path: flink-connectors/flink-connector-hive/pom.xml
Suggested Safe Versions: 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
--
This message was sent by Atlassian Jira
(v8.3.4#803005)