James Busche created FLINK-29853:
------------------------------------
Summary: Older jackson-databind found in
flink-kubernetes-operator-1.2.0-shaded.jar
Key: FLINK-29853
URL: https://issues.apache.org/jira/browse/FLINK-29853
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-1.2.1
Reporter: James Busche
A Twistlock security scan of the existing 1.2.0 operator as well as the current
main release shows a high vulnerability with the current jackson-databind
version.
======
severity: High
cvss: 7.5
riskFactors: Attack complexity: low,Attack vector: network,Has fix,High
severity,Recent vulnerability
CVE link: [https://nvd.nist.gov/vuln/detail/CVE-2022-42003]
packageName: com.fasterxml.jackson.core_jackson-databind
packagePath:
/flink-kubernetes-operator/flink-kubernetes-operator-1.2.0-shaded.jar and/or
/flink-kubernetes-operator/flink-kubernetes-operator-1.3-SNAPSHOT-shaded.jar
description: In FasterXML jackson-databind before 2.14.0-rc1, resource
exhaustion can occur because of a lack of a check in primitive value
deserializers to avoid deep wrapper array nesting, when the
UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in
2.13.4.1 and 2.12.17.1
====
This is exactly like the older issue
https://issues.apache.org/jira/browse/FLINK-27654
I'm going to see if I can fix it myself and create a PR if I'm successful.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
