You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Jeff Hu (Jira)" <ji...@apache.org> on 2020/08/06 15:20:00 UTC

[jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency

Jeff Hu created FLINK-18841:
-------------------------------

             Summary: CVE-2018-10237 and CWE-400 occurred in flink dependency 
                 Key: FLINK-18841
                 URL: https://issues.apache.org/jira/browse/FLINK-18841
             Project: Flink
          Issue Type: Bug
          Components: Table SQL / Planner
    Affects Versions: 1.11.1
         Environment: flink:1.11.1

scala:2.11
            Reporter: Jeff Hu


CVE-2018-10237 and CWE-400 caused by the jar {{com.google.guava:guava:18.0}} depended in {{flink-shaded-guava-18.0-6.0.jar}} & {{ flink-table-planner_2.11-1.11.1.jar}}. Since that these dependencies are internal reference from flink.

[https://github.com/apache/flink/blob/master/pom.xml]
|<!-- WARN:|

| DO NOT put guava,|

| protobuf,|

| asm,|

| netty|

| here. It will overwrite Hadoop's guava dependency (even though we handle it|

| separatly in the flink-shaded-hadoop-2 dependency).|

| -->|

|<dependencies>|

| |

|<dependency>|

|<groupId>org.apache.flink</groupId>|

|<artifactId>flink-shaded-asm-7</artifactId>|

|<version>7.1-${flink.shaded.version}</version>|

|</dependency>|

| |

|<dependency>|

|<groupId>org.apache.flink</groupId>|

|<artifactId>flink-shaded-guava</artifactId>|

|<version>18.0-${flink.shaded.version}</version>|

</dependency>

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)