You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "James Busche (Jira)" <ji...@apache.org> on 2022/11/02 17:45:00 UTC
[jira] [Created] (FLINK-29853) Older jackson-databind found in flink-kubernetes-operator-1.2.0-shaded.jar
James Busche created FLINK-29853:
------------------------------------
Summary: Older jackson-databind found in flink-kubernetes-operator-1.2.0-shaded.jar
Key: FLINK-29853
URL: https://issues.apache.org/jira/browse/FLINK-29853
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-1.2.1
Reporter: James Busche
A Twistlock security scan of the existing 1.2.0 operator as well as the current main release shows a high vulnerability with the current jackson-databind version.
======
severity: High
cvss: 7.5
riskFactors: Attack complexity: low,Attack vector: network,Has fix,High severity,Recent vulnerability
CVE link: [https://nvd.nist.gov/vuln/detail/CVE-2022-42003]
packageName: com.fasterxml.jackson.core_jackson-databind
packagePath: /flink-kubernetes-operator/flink-kubernetes-operator-1.2.0-shaded.jar and/or /flink-kubernetes-operator/flink-kubernetes-operator-1.3-SNAPSHOT-shaded.jar
description: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
====
This is exactly like the older issue https://issues.apache.org/jira/browse/FLINK-27654
I'm going to see if I can fix it myself and create a PR if I'm successful.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)