Jeff Hu created FLINK-18841: ------------------------------- Summary: CVE-2018-10237 and CWE-400 occurred in flink dependency Key: FLINK-18841 URL: https://issues.apache.org/jira/browse/FLINK-18841 Project: Flink Issue Type: Bug Components: Table SQL / Planner Affects Versions: 1.11.1 Environment: flink:1.11.1
scala:2.11 Reporter: Jeff Hu CVE-2018-10237 and CWE-400 caused by the jar {{com.google.guava:guava:18.0}} depended in {{flink-shaded-guava-18.0-6.0.jar}} & {{ flink-table-planner_2.11-1.11.1.jar}}. Since that these dependencies are internal reference from flink. [https://github.com/apache/flink/blob/master/pom.xml] |<!-- WARN:| | DO NOT put guava,| | protobuf,| | asm,| | netty| | here. It will overwrite Hadoop's guava dependency (even though we handle it| | separatly in the flink-shaded-hadoop-2 dependency).| | -->| |<dependencies>| | | |<dependency>| |<groupId>org.apache.flink</groupId>| |<artifactId>flink-shaded-asm-7</artifactId>| |<version>7.1-${flink.shaded.version}</version>| |</dependency>| | | |<dependency>| |<groupId>org.apache.flink</groupId>| |<artifactId>flink-shaded-guava</artifactId>| |<version>18.0-${flink.shaded.version}</version>| </dependency> -- This message was sent by Atlassian Jira (v8.3.4#803005)