James Busche created FLINK-27654:
------------------------------------
Summary: Older jackson-databind found in
/flink-kubernetes-shaded-1.0-SNAPSHOT.jar
Key: FLINK-27654
URL: https://issues.apache.org/jira/browse/FLINK-27654
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-0.1.0
Reporter: James Busche
A twistlock security scan of the latest kubernetes flink operator is showing an
older version of jackson-databind in the
/flink-kubernetes-shaded-1.0-SNAPSHOT.jar file. I don't know how to
control/update the contents of this snapshot file.
I see this in the report (Otherwise, everything else looks good!):
======
severity: High
cvss: 7.5
riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High
severity
cve: CVE-2020-36518
Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]
packageName: com.fasterxml.jackson.core_jackson-databind
packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar
description: jackson-databind before 2.13.0 allows a Java StackOverflow
exception and denial of service via a large depth of nested objects.
=====
I'd be glad to try to fix it, I'm just not sure how the jackson-databind
versions are controlled in this
/flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
