You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Bilna (Jira)" <ji...@apache.org> on 2022/08/09 10:42:00 UTC

[jira] [Created] (FLINK-28891) Upgrade google-cloud-libraries-bom version to 25.0.0

Bilna created FLINK-28891:
-----------------------------

             Summary: Upgrade google-cloud-libraries-bom version to 25.0.0
                 Key: FLINK-28891
                 URL: https://issues.apache.org/jira/browse/FLINK-28891
             Project: Flink
          Issue Type: Bug
            Reporter: Bilna


*CVE-2022-25647*
In flink-connector-gcp-pubsub, the google-cloud-pubsub version is pulled from
google-cloud-bom (loaded via the libraries-bom) and libraries-bom version in 1.13.6 is 8.1.0. The the google-cloud-pubsub version pulled thorigh this is 1.108.0
https://mvnrepository.com/artifact/com.google.cloud/libraries-bom/8.1.0
 
The dependecny google-cloud-pubsub:1.108.0 has com.google.code.gson:gson:jar:2.8.6 which is vulnerable
https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.108.0/jar
 
The google-cloud-pubsub:1.116.0 onwards the gson version is 2.9.0.
https://search.maven.org/artifact/com.google.cloud/google-cloud-pubsub/1.116.0/jar
 
So in order to resolve the vulnerability,  google-cloud-libraries-bom version needs to be upgraded to 25.0.0 or higher



--
This message was sent by Atlassian Jira
(v8.20.10#820010)