Hello,
Following dependency vulnerabilities found with flink 1.12.3 version. Please provide your input on this.
Severity: High
Description: Apache Commons IO contains a flaw that is due to the program failing to restrict which class can be serialized. This may allow
a remote attacker to execute arbitrary Java code via deserialization methods.
References:
https://issues.apache.org/jira/browse/IO-675
Paths:
/opt/flink/lib/flink-dist_2.11-1.12.3.jar:commons-io (fixed in: 2.8.0)
/opt/flink/lib/flink-table-blink_2.11-1.12.3.jar:commons-io (fixed in: 2.8.0)
Severity: High
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Paths:
/opt/flink/examples/streaming/Twitter.jar:guava (fixed in: 23.6.1, 24.1.1, 25.0)
Severity: High
Desciption:
Apache Commons Compress contains a flaw in the ZipFile::readCentralDirectoryEntry() function in main/java/org/apache/commons/compress/archivers/zip/ZipFile.java related to an uncaught
exception. This may allow a context-dependent attacker to crash a process linked against the library.
Paths:
/opt/flink/lib/flink-dist_2.11-1.12.3.jar:commons-compress
/opt/flink/opt/flink-python_2.11-1.12.3.jar:commons-compress
References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33462
Severity: High
Paths:
/opt/flink/opt/flink-python_2.11-1.12.3.jar:flatbuffers-java
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-35864
Severity: High
Paths:
/opt/flink/lib/flink-dist_2.11-1.12.3.jar:mesos
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-11793
https://nvd.nist.gov/vuln/detail/CVE-2019-0204
https://nvd.nist.gov/vuln/detail/CVE-2019-5736
Severity: Medium
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-13956
Paths:
/opt/flink/examples/streaming/Twitter.jar:httpclient
Regards,
Suchithra
| Free forum by Nabble | Edit this page |