Hi Chirag,
How are you using Flink? Do you allow users to pass in arbitrary Avro
schemas to a Flink cluster?
If not, then I don't think the CVE applies to you. If so, then I'd imagine
that replacing the Avro 1.11.3 jar with the 1.11.4 may be a suitable
mitigation. The fix in Apache Flink only
Hi Barak,
The missing class is in "flink-core", I think adding that dependency will
provide it.
The release notes for 1.14 note that Connectors no longer bundle
"flink-core". I imagine this is what has caused your issue.
https://nightlies.apache.org/flink/flink-docs-release-1.18/release-notes/fl
