[
https://issues.apache.org/jira/browse/FLINK-32176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martijn Visser reassigned FLINK-32176:
--------------------------------------
Assignee: Samrat Deb
> [CVE-2022-1471] Upgrade snake yaml to 2.0
> -----------------------------------------
>
> Key: FLINK-32176
> URL: https://issues.apache.org/jira/browse/FLINK-32176
> Project: Flink
> Issue Type: Bug
> Components: Connectors / Pulsar
> Affects Versions: 1.17.0
> Reporter: Samrat Deb
> Assignee: Samrat Deb
> Priority: Major
>
>
> * *CVE ID:* {{CVE-2022-1471}}
> * *CWE:* CWE-502 Deserialization of Untrusted Data
> * {*}Severity{*}: Critical
> {{pulsar-client-all-2.10.0.jar (shaded: org.yaml:snakeyaml:1.30)}}
>
> {{SnakeYaml's Constructor() class does not restrict types which can be
> instantiated during deserialization. Deserializing yaml content provided by
> an attacker can lead to remote code execution. We recommend using SnakeYaml's
> SafeConsturctor when parsing untrusted content to restrict deserialization.}}
> {{}}
> {{More details : https://nvd.nist.gov/vuln/detail/CVE-2022-1471}}
> {{{}{}}}{{{}{}}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
