Iman Sharafaldin created FLINK-26209: ----------------------------------------
Summary: Possibility of Command Injection attack Key: FLINK-26209 URL: https://issues.apache.org/jira/browse/FLINK-26209 Project: Flink Issue Type: Bug Components: Library / Machine Learning Reporter: Iman Sharafaldin As you can see in line 134 command line is built using string concatenation. An attacker who has control over args can execute malicious commands. |final String cmd = discoveryScript.getAbsolutePath() + " " + gpuAmount + " " + args;| || [https://github.com/apache/flink/blob/0d29b23f892714e4936b8af2f896e3040ddc9e89/flink-external-resources/flink-external-resource-gpu/src/main/java/org/apache/flink/externalresource/gpu/GPUDriver.java#L134] Reference: https://owasp.org/www-community/attacks/Command_Injection -- This message was sent by Atlassian Jira (v8.20.1#820001)