[FLINK-27654] Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: kubernetes-operator-0.1.0
Fix Version/s: kubernetes-operator-1.0.0
Component/s: Kubernetes Operator
Labels:
- pull-request-available

Description

A twistlock security scan of the latest kubernetes flink operator is showing an older version of jackson-databind in the /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file. I don't know how to control/update the contents of this snapshot file.

I see this in the report (Otherwise, everything else looks good!):

======
severity: High

cvss: 7.5

riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High severity

cve: CVE-2020-36518

Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36518

packageName: com.fasterxml.jackson.core_jackson-databind

packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar

description: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

=====

I'd be glad to try to fix it, I'm just not sure how the jackson-databind versions are controlled in this /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar

Attachments

Issue Links

links to

GitHub Pull Request #235

Activity

People

Assignee:: Yang Wang

Reporter:: James Busche

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 16/May/22 22:57

Updated:: 22/May/22 23:15

Resolved:: 22/May/22 23:15