Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-4732

Maven junction plugin security threat

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 1.1.3, 1.2.0
    • Build System
    • None

    Description

      We use the Maven Junction plugin http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html to create a symbolic link to the build directory. On Windows, the plugin downloads an executable from the author's homepage which may be modified by an attacker. The plugin has not been updated since 2007 and the maintainer has not shown interest to fix the issue.

      I propose to remove the plugin while this security threat persists.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mxm Maximilian Michels
            mxm Maximilian Michels
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment