Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-4732

Maven junction plugin security threat

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 1.1.3, 1.2.0
    • Build System
    • None

    Description

      We use the Maven Junction plugin http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html to create a symbolic link to the build directory. On Windows, the plugin downloads an executable from the author's homepage which may be modified by an attacker. The plugin has not been updated since 2007 and the maintainer has not shown interest to fix the issue.

      I propose to remove the plugin while this security threat persists.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. FLINK-4799 Re-add build-target symlink to project root

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link GitHub Pull Request #2586

          Activity

            People

              mxm Maximilian Michels
              mxm Maximilian Michels
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: