Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-4732

Maven junction plugin security threat

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0, 1.1.3
    • Component/s: Build System
    • Labels:
      None

      Description

      We use the Maven Junction plugin http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html to create a symbolic link to the build directory. On Windows, the plugin downloads an executable from the author's homepage which may be modified by an attacker. The plugin has not been updated since 2007 and the maintainer has not shown interest to fix the issue.

      I propose to remove the plugin while this security threat persists.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mxm Maximilian Michels
                Reporter:
                mxm Maximilian Michels
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: