You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Gyula Fora (Jira)" <ji...@apache.org> on 2022/07/21 16:24:00 UTC
[jira] [Commented] (FLINK-28637) High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
[ https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569508#comment-17569508 ]
Gyula Fora commented on FLINK-28637:
------------------------------------
We need to make sure that fabric8 and java-operator-sdk use a version of this library that has this fix and then bump those versions.
Based on the description this should not really affect the operator as the http client is not exposed to the user.
> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
> Key: FLINK-28637
> URL: https://issues.apache.org/jira/browse/FLINK-28637
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.1.0
> Reporter: James Busche
> Priority: Major
>
> I noticed a high vulnerability in the flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath: /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are vulnerable for sensitive information disclosure. An illegal character in a header value will cause IllegalArgumentException which will include full header value. This applies to Authorization, Cookie, Proxy-Authorization and Set-Cookie headers.
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide this fix for the 3.x version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)