[
https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569909#comment-17569909
]
Gyula Fora commented on FLINK-28637:
------------------------------------
We also need to check with the JOSDK team if they plan on migrating to fabric8
6.0.0 soon, in that case we could get rid of okhttp completely instead of
swapping the dependency.
> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
> Key: FLINK-28637
> URL: https://issues.apache.org/jira/browse/FLINK-28637
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.1.0
> Reporter: James Busche
> Priority: Major
>
> I noticed a high vulnerability in the
> flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath:
> /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are
> vulnerable for sensitive information disclosure. An illegal character in a
> header value will cause IllegalArgumentException which will include full
> header value. This applies to Authorization, Cookie, Proxy-Authorization and
> Set-Cookie headers.
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide
> this fix for the 3.x version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
