Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-16356

Some dependencies contain CVEs

    XMLWordPrintableJSON

Details

    Description

      I found your project used some dependencies that contain CVEs. To prevent potential risk it may cause, I suggest a library update. The following is a detailed content.

      Vulnerable Library Version: com.squareup.okhttp3 : okhttp : 3.7.0
      CVE ID: [CVE-2018-20200](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20200)
      Import Path: flink-metrics/flink-metrics-datadog/pom.xml, flink-end-to-end-tests/flink-end-to-end-tests-common/pom.xml, flink-end-to-end-tests/flink-metrics-reporter-prometheus-test/pom.xml, flink-runtime/pom.xml
      Suggested Safe Versions: 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 4.0.0, 4.0.0-RC1, 4.0.0-RC2, 4.0.0-RC3, 4.0.0-alpha01, 4.0.0-alpha02, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0

      Vulnerable Library Version: com.google.guava : guava : 18.0
      CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
      Import Path: flink-connectors/flink-connector-kinesis/pom.xml, flink-connectors/flink-connector-cassandra/pom.xml
      Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre

      Vulnerable Library Version: org.apache.hive : hive-exec : 1.2.1
      CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-exec : 2.0.0
      CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-exec : 1.1.0
      CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-exec : 2.1.1
      CVE ID: [CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-exec : 1.0.1
      CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-exec : 2.2.0
      CVE ID: [CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.11.0.2
      CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288), [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
      Import Path: flink-connectors/flink-connector-kafka-0.11/pom.xml
      Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0

      Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.10.2.1
      CVE ID: [CVE-2018-1288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288)
      Import Path: flink-connectors/flink-connector-kafka-0.10/pom.xml, flink-connectors/flink-connector-kafka-base/pom.xml
      Suggested Safe Versions: 0.10.2.2, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0

      Vulnerable Library Version: org.apache.logging.log4j : log4j-api : 2.7
      CVE ID: [CVE-2017-5645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
      Import Path: flink-connectors/flink-connector-elasticsearch5/pom.xml
      Suggested Safe Versions: 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.8.2, 2.9.0, 2.9.1

      Vulnerable Library Version: org.apache.logging.log4j : log4j-core : 2.7
      CVE ID: [CVE-2019-17571](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571), [CVE-2017-5645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
      Import Path: flink-connectors/flink-connector-elasticsearch5/pom.xml
      Suggested Safe Versions: 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.8.2, 2.9.0, 2.9.1

      Vulnerable Library Version: org.apache.kafka : kafka-clients : 0.10.2.1
      CVE ID: [CVE-2017-12610](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610)
      Import Path: flink-connectors/flink-connector-kafka-0.10/pom.xml, flink-connectors/flink-connector-kafka-base/pom.xml
      Suggested Safe Versions: 0.10.2.2, 0.11.0.2, 0.11.0.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0

      Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.10
      CVE ID: [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201)
      Import Path: flink-runtime/pom.xml
      Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7

      Vulnerable Library Version: org.apache.hadoop : hadoop-common : 3.1.0
      CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
      Import Path: flink-filesystems/flink-s3-fs-base/pom.xml, flink-filesystems/flink-fs-hadoop-shaded/pom.xml
      Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1

      Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.5
      CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
      Import Path: flink-table/flink-sql-client/pom.xml
      Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1

      Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.4.1
      CVE ID: [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
      Import Path: flink-connectors/flink-connector-filesystem/pom.xml, flink-yarn/pom.xml, flink-yarn-tests/pom.xml, flink-fs-tests/pom.xml, flink-filesystems/flink-hadoop-fs/pom.xml
      Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1

      Vulnerable Library Version: org.apache.orc : orc-core : 1.4.3
      CVE ID: [CVE-2018-8015](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8015)
      Import Path: flink-connectors/flink-connector-hive/pom.xml, flink-formats/flink-orc/pom.xml
      Suggested Safe Versions: 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2

      Vulnerable Library Version: org.apache.commons : commons-compress : 1.18
      CVE ID: [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
      Import Path: flink-core/pom.xml
      Suggested Safe Versions: 1.19, 1.20

      Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.1.0
      CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.2.1
      CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.0.1
      CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-metastore : 1.1.0
      CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-metastore : 1.2.1
      CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-metastore : 1.0.1
      CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: com.rabbitmq : amqp-client : 4.2.0
      CVE ID: [CVE-2018-11087](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11087)
      Import Path: flink-connectors/flink-connector-rabbitmq/pom.xml
      Suggested Safe Versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0

      Vulnerable Library Version: org.apache.hive : hive-service : 1.1.0
      CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2015-1772](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1772)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-service : 1.0.1
      CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-service : 1.2.1
      CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Vulnerable Library Version: org.apache.hive : hive-service : 2.0.0
      CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083)
      Import Path: flink-connectors/flink-connector-hive/pom.xml
      Suggested Safe Versions: 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2

      Attachments

        1. apache-flink_CVE-report.md
          2 kB
          XuCongying
        There are no Sub-Tasks for this issue.

        Activity

          People

            Unassigned Unassigned
            XuCY XuCongying
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 40m
                40m