[
https://issues.apache.org/jira/browse/FLINK-33571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892171#comment-17892171
]
Thomas Cooper commented on FLINK-33571:
---------------------------------------
So looks like there is now a json-path 2.9.0 that addresses an issue in 2.8.0
so we should probably move to that.
json-path now looks to have moved to the flink-shaded build so we will need to
add a json-path-shaded-2.70-0.20 build and then bump the versions in flink.
I am happy to take a look at this.
> Bump json-path from 2.7.0 to 2.8.0
> ----------------------------------
>
> Key: FLINK-33571
> URL: https://issues.apache.org/jira/browse/FLINK-33571
> Project: Flink
> Issue Type: Bug
> Affects Versions: 1.19.0
> Reporter: Yubin Li
> Priority: Major
>
> json-path has critical bugs in 2.7.0 used in flink project, see
> [https://github.com/json-path/JsonPath/issues/906]
> cve: [https://www.cve.org/CVERecord?id=CVE-2023-1370]
> the current version is vulnerable to Denial of Service (DoS) due to a
> StackOverflowError when parsing a deeply nested JSON array or object, and the
> issue has been fixed in 2.8.0.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
