Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
kubernetes-operator-1.2.1
Description
A Twistlock security scan of the existing 1.2.0 operator as well as the current main release shows a high vulnerability with the current jackson-databind version.
======
severity: High
cvss: 7.5
riskFactors: Attack complexity: low,Attack vector: network,Has fix,High severity,Recent vulnerability
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2022-42003
packageName: com.fasterxml.jackson.core_jackson-databind
packagePath: /flink-kubernetes-operator/flink-kubernetes-operator-1.2.0-shaded.jar and/or /flink-kubernetes-operator/flink-kubernetes-operator-1.3-SNAPSHOT-shaded.jar
description: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
====
This is exactly like the older issue https://issues.apache.org/jira/browse/FLINK-27654
I'm going to see if I can fix it myself and create a PR if I'm successful.
Attachments
Issue Links
- links to