[FLINK-29235] Update SnakeYAML to 1.31 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.15.3
Fix Version/s: 1.17.0
Component/s: Build System, BuildSystem / Shaded
Labels:
None

Description

Flink uses snakeyaml v1.27.
flink-shaded uses Jackson 2.12.4, which used snakeyaml v1.29

Those version are vulnerable to CVE-2022-25857. Flink itself is not directly impacted by this CVE, but we should bump this to avoid false flags.

Ref:

https://nvd.nist.gov/vuln/detail/CVE-2022-25857

https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom

https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73

Attachments

Activity

People

Assignee:: Martijn Visser

Reporter:: Sergio Sainz

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Sep/22 16:35

Updated:: 11/Nov/22 10:06

Resolved:: 11/Nov/22 10:06