Anupam Aggarwal created FLINK-36920:
---------------------------------------
Summary: Update org.quartz-schedule:quartz
Key: FLINK-36920
URL: https://issues.apache.org/jira/browse/FLINK-36920
Project: Flink
Issue Type: Improvement
Components: Kubernetes Operator
Affects Versions: 1.10.0
Reporter: Anupam Aggarwal
Update dependency on org.quartz-scheduler:quartz used in flink-autoscaler
module from 2.3.2 to 2.4.0
*Vulnerability info:*
cve-2023-39017
quartz-jobs 2.3.2 and below was discovered to contain a code injection
vulnerability in the component
org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is
exploited via passing an unchecked argument. NOTE: this is disputed by multiple
parties because it is not plausible that untrusted user input would reach the
code location where injection must occur.
More details are at: [https://nvd.nist.gov/vuln/detail/cve-2023-39017]
*Proposed fix*
Bumping the dependency from 2.3.2 to 2.4.0
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
