You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Flink Jira Bot (Jira)" <ji...@apache.org> on 2022/04/09 10:39:00 UTC
[jira] [Updated] (FLINK-16356) Some dependencies contain CVEs
[ https://issues.apache.org/jira/browse/FLINK-16356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Flink Jira Bot updated FLINK-16356:
-----------------------------------
Labels: auto-deprioritized-major stale-minor (was: auto-deprioritized-major)
I am the [Flink Jira Bot|https://github.com/apache/flink-jira-bot/] and I help the community manage its development. I see this issues has been marked as Minor but is unassigned and neither itself nor its Sub-Tasks have been updated for 180 days. I have gone ahead and marked it "stale-minor". If this ticket is still Minor, please either assign yourself or give an update. Afterwards, please remove the label or in 7 days the issue will be deprioritized.
> Some dependencies contain CVEs
> ------------------------------
>
> Key: FLINK-16356
> URL: https://issues.apache.org/jira/browse/FLINK-16356
> Project: Flink
> Issue Type: Bug
> Components: Build System
> Reporter: XuCongying
> Priority: Minor
> Labels: auto-deprioritized-major, stale-minor
> Attachments: apache-flink_CVE-report.md
>
>
> I found your project used some dependencies that contain CVEs. To prevent potential risk it may cause, I suggest a library update. The following is a detailed content.
>
> Vulnerable Library Version: com.squareup.okhttp3 : okhttp : 3.7.0
> CVE ID: [CVE-2018-20200](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20200)
> Import Path: flink-metrics/flink-metrics-datadog/pom.xml, flink-end-to-end-tests/flink-end-to-end-tests-common/pom.xml, flink-end-to-end-tests/flink-metrics-reporter-prometheus-test/pom.xml, flink-runtime/pom.xml
> Suggested Safe Versions: 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 4.0.0, 4.0.0-RC1, 4.0.0-RC2, 4.0.0-RC3, 4.0.0-alpha01, 4.0.0-alpha02, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0
> Vulnerable Library Version: com.google.guava : guava : 18.0
> CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
> Import Path: flink-connectors/flink-connector-kinesis/pom.xml, flink-connectors/flink-connector-cassandra/pom.xml
> Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>
> Vulnerable Library Version: org.apache.hive : hive-exec : 1.2.1
> CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-exec : 2.0.0
> CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-exec : 1.1.0
> CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-exec : 2.1.1
> CVE ID: [CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-exec : 1.0.1
> CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
> Vulnerable Library Version: org.apache.hive : hive-exec : 2.2.0
> CVE ID: [CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.11.0.2
> CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288), [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
> Import Path: flink-connectors/flink-connector-kafka-0.11/pom.xml
> Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
>
> Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.10.2.1
> CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288)
> Import Path: flink-connectors/flink-connector-kafka-0.10/pom.xml, flink-connectors/flink-connector-kafka-base/pom.xml
> Suggested Safe Versions: 0.10.2.2, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
>
> Vulnerable Library Version: org.apache.logging.log4j : log4j-api : 2.7
> CVE ID: [CVE-2017-5645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
> Import Path: flink-connectors/flink-connector-elasticsearch5/pom.xml
> Suggested Safe Versions: 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.8.2, 2.9.0, 2.9.1
>
> Vulnerable Library Version: org.apache.logging.log4j : log4j-core : 2.7
> CVE ID: [CVE-2019-17571](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571), [CVE-2017-5645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
> Import Path: flink-connectors/flink-connector-elasticsearch5/pom.xml
> Suggested Safe Versions: 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.8.2, 2.9.0, 2.9.1
>
> Vulnerable Library Version: org.apache.kafka : kafka-clients : 0.10.2.1
> CVE ID: [CVE-2017-12610](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610)
> Import Path: flink-connectors/flink-connector-kafka-0.10/pom.xml, flink-connectors/flink-connector-kafka-base/pom.xml
> Suggested Safe Versions: 0.10.2.2, 0.11.0.2, 0.11.0.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
>
> Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.10
> CVE ID: [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201)
> Import Path: flink-runtime/pom.xml
> Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7
>
> Vulnerable Library Version: org.apache.hadoop : hadoop-common : 3.1.0
> CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
> Import Path: flink-filesystems/flink-s3-fs-base/pom.xml, flink-filesystems/flink-fs-hadoop-shaded/pom.xml
> Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>
> Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.5
> CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
> Import Path: flink-table/flink-sql-client/pom.xml
> Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>
> Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.4.1
> CVE ID: [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
> Import Path: flink-connectors/flink-connector-filesystem/pom.xml, flink-yarn/pom.xml, flink-yarn-tests/pom.xml, flink-fs-tests/pom.xml, flink-filesystems/flink-hadoop-fs/pom.xml
> Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>
> Vulnerable Library Version: org.apache.orc : orc-core : 1.4.3
> CVE ID: [CVE-2018-8015](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8015)
> Import Path: flink-connectors/flink-connector-hive/pom.xml, flink-formats/flink-orc/pom.xml
> Suggested Safe Versions: 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2
>
> Vulnerable Library Version: org.apache.commons : commons-compress : 1.18
> CVE ID: [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
> Import Path: flink-core/pom.xml
> Suggested Safe Versions: 1.19, 1.20
>
> Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.1.0
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.2.1
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.0.1
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-metastore : 1.1.0
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
> Vulnerable Library Version: org.apache.hive : hive-metastore : 1.2.1
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-metastore : 1.0.1
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: com.rabbitmq : amqp-client : 4.2.0
> CVE ID: [CVE-2018-11087](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11087)
> Import Path: flink-connectors/flink-connector-rabbitmq/pom.xml
> Suggested Safe Versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0
> Vulnerable Library Version: org.apache.hive : hive-service : 1.1.0
> CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2015-1772](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1772)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
> Vulnerable Library Version: org.apache.hive : hive-service : 1.0.1
> CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-service : 1.2.1
> CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.apache.hive : hive-service : 2.0.0
> CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083)
> Import Path: flink-connectors/flink-connector-hive/pom.xml
> Suggested Safe Versions: 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
--
This message was sent by Atlassian Jira
(v8.20.1#820001)