You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "Iman Sharafaldin (Jira)" <ji...@apache.org> on 2022/02/17 06:44:00 UTC
[jira] [Created] (FLINK-26209) Possibility of Command Injection attack
Iman Sharafaldin created FLINK-26209:
----------------------------------------
Summary: Possibility of Command Injection attack
Key: FLINK-26209
URL: https://issues.apache.org/jira/browse/FLINK-26209
Project: Flink
Issue Type: Bug
Components: Library / Machine Learning
Reporter: Iman Sharafaldin
As you can see in line 134 command line is built using string concatenation. An attacker who has control over args can execute malicious commands.
|final String cmd = discoveryScript.getAbsolutePath() + " " + gpuAmount + " " + args;|
||
[https://github.com/apache/flink/blob/0d29b23f892714e4936b8af2f896e3040ddc9e89/flink-external-resources/flink-external-resource-gpu/src/main/java/org/apache/flink/externalresource/gpu/GPUDriver.java#L134]
Reference:
https://owasp.org/www-community/attacks/Command_Injection
--
This message was sent by Atlassian Jira
(v8.20.1#820001)