You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "James Busche (Jira)" <ji...@apache.org> on 2022/05/16 22:58:00 UTC

[jira] [Created] (FLINK-27654) Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar

James Busche created FLINK-27654:
------------------------------------

             Summary: Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar
                 Key: FLINK-27654
                 URL: https://issues.apache.org/jira/browse/FLINK-27654
             Project: Flink
          Issue Type: Bug
          Components: Kubernetes Operator
    Affects Versions: kubernetes-operator-0.1.0
            Reporter: James Busche


A twistlock security scan of the latest kubernetes flink operator is showing an older version of jackson-databind in the /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file.  I don't know how to control/update the contents of this snapshot file.  

I see this in the report (Otherwise, everything else looks good!):

======
severity: High

cvss: 7.5 

riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High severity

cve: CVE-2020-36518

Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]

packageName: com.fasterxml.jackson.core_jackson-databind

packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar

description: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

=====

I'd be glad to try to fix it, I'm just not sure how the jackson-databind versions are controlled in this /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)