[jira] [Created] (FLINK-26209) Possibility of Command Injection attack

Iman Sharafaldin (Jira) Wed, 16 Feb 2022 22:44:04 -0800

Iman Sharafaldin created FLINK-26209:
----------------------------------------


             Summary: Possibility of Command Injection attack 
                 Key: FLINK-26209
                 URL: https://issues.apache.org/jira/browse/FLINK-26209
             Project: Flink
          Issue Type: Bug
          Components: Library / Machine Learning
            Reporter: Iman Sharafaldin


As you can see in line 134 command line is built using string concatenation. An 
attacker who has control over args can execute malicious commands.

 

|final String cmd = discoveryScript.getAbsolutePath() + " " + gpuAmount + " " + 
args;|
||

[https://github.com/apache/flink/blob/0d29b23f892714e4936b8af2f896e3040ddc9e89/flink-external-resources/flink-external-resource-gpu/src/main/java/org/apache/flink/externalresource/gpu/GPUDriver.java#L134]

 

 

Reference:

https://owasp.org/www-community/attacks/Command_Injection



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (FLINK-26209) Possibility of Command Injection attack

Reply via email to