You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Iman Sharafaldin (Jira)" <ji...@apache.org> on 2022/02/17 06:44:00 UTC

[jira] [Created] (FLINK-26209) Possibility of Command Injection attack

Iman Sharafaldin created FLINK-26209:
----------------------------------------

             Summary: Possibility of Command Injection attack 
                 Key: FLINK-26209
                 URL: https://issues.apache.org/jira/browse/FLINK-26209
             Project: Flink
          Issue Type: Bug
          Components: Library / Machine Learning
            Reporter: Iman Sharafaldin


As you can see in line 134 command line is built using string concatenation. An attacker who has control over args can execute malicious commands.

 

|final String cmd = discoveryScript.getAbsolutePath() + " " + gpuAmount + " " + args;|
||

[https://github.com/apache/flink/blob/0d29b23f892714e4936b8af2f896e3040ddc9e89/flink-external-resources/flink-external-resource-gpu/src/main/java/org/apache/flink/externalresource/gpu/GPUDriver.java#L134]

 

 

Reference:

https://owasp.org/www-community/attacks/Command_Injection



--
This message was sent by Atlassian Jira
(v8.20.1#820001)