[
https://issues.apache.org/jira/browse/FLINK-29853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gyula Fora closed FLINK-29853.
------------------------------
Fix Version/s: kubernetes-operator-1.3.0
Resolution: Fixed
merged to main 82fca328488be8ddf7d67ec6ce8ad1b20a6da3a6
> Older jackson-databind found in flink-kubernetes-operator-1.2.0-shaded.jar
> --------------------------------------------------------------------------
>
> Key: FLINK-29853
> URL: https://issues.apache.org/jira/browse/FLINK-29853
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.2.1
> Reporter: James Busche
> Priority: Major
> Labels: pull-request-available
> Fix For: kubernetes-operator-1.3.0
>
>
> A Twistlock security scan of the existing 1.2.0 operator as well as the
> current main release shows a high vulnerability with the current
> jackson-databind version.
> ======
> severity: High
> cvss: 7.5
> riskFactors: Attack complexity: low,Attack vector: network,Has fix,High
> severity,Recent vulnerability
> CVE link: [https://nvd.nist.gov/vuln/detail/CVE-2022-42003]
> packageName: com.fasterxml.jackson.core_jackson-databind
> packagePath:
> /flink-kubernetes-operator/flink-kubernetes-operator-1.2.0-shaded.jar and/or
> /flink-kubernetes-operator/flink-kubernetes-operator-1.3-SNAPSHOT-shaded.jar
> description: In FasterXML jackson-databind before 2.14.0-rc1, resource
> exhaustion can occur because of a lack of a check in primitive value
> deserializers to avoid deep wrapper array nesting, when the
> UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in
> 2.13.4.1 and 2.12.17.1
> ====
> This is exactly like the older issue
> https://issues.apache.org/jira/browse/FLINK-27654
> I'm going to see if I can fix it myself and create a PR if I'm successful.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
