James Busche created FLINK-28637:
------------------------------------
Summary: High vulnerability in
flink-kubernetes-operator-1.1.0-shaded.jar
Key: FLINK-28637
URL: https://issues.apache.org/jira/browse/FLINK-28637
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-1.1.0
Reporter: James Busche
I noticed a high vulnerability in the
flink-kubernetes-operator-1.1.0-shaded.jar file.
=======
cvss: 7.5
riskFactors: Has fix,High severity
cve: PRISMA-2022-0239
link: https://github.com/square/okhttp/issues/6738
status: fixed in 4.9.2
packagePath:
/flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are
vulnerable for sensitive information disclosure. An illegal character in a
header value will cause IllegalArgumentException which will include full header
value. This applies to Authorization, Cookie, Proxy-Authorization and
Set-Cookie headers.
=======
It looks like we're using version 3.12.12, and there's no plans to provide this
fix for the 3.x version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
