[jira] [Commented] (FLINK-32176) [CVE-2022-1471] Mitigate CVE from snakeyaml coming from pulsar-client-all

Samrat Deb (Jira) Fri, 26 May 2023 20:31:04 -0700


    [ 
https://issues.apache.org/jira/browse/FLINK-32176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17726765#comment-17726765
 ]


Samrat Deb commented on FLINK-32176:
------------------------------------

Please help triggering the workflow for the PR to complete which needs approval 
from maintainers/commiter.

> [CVE-2022-1471] Mitigate CVE from snakeyaml coming from pulsar-client-all
> -------------------------------------------------------------------------
>
>                 Key: FLINK-32176
>                 URL: https://issues.apache.org/jira/browse/FLINK-32176
>             Project: Flink
>          Issue Type: Bug
>          Components: Connectors / Pulsar
>    Affects Versions: 1.17.0
>            Reporter: Samrat Deb
>            Assignee: Samrat Deb
>            Priority: Major
>              Labels: pull-request-available
>
>  
>  * *CVE ID:* {{CVE-2022-1471}}
>  * *CWE:* CWE-502 Deserialization of Untrusted Data
>  * {*}Severity{*}: Critical
> {{pulsar-client-all-2.10.0.jar (shaded: org.yaml:snakeyaml:1.30)}}
>  
> {{SnakeYaml's Constructor() class does not restrict types which can be 
> instantiated during deserialization. Deserializing yaml content provided by 
> an attacker can lead to remote code execution. We recommend using SnakeYaml's 
> SafeConsturctor when parsing untrusted content to restrict deserialization.}}
> {{}}
> {{More details : https://nvd.nist.gov/vuln/detail/CVE-2022-1471}}
> {{{}{}}}{{{}{}}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (FLINK-32176) [CVE-2022-1471] Mitigate CVE from snakeyaml coming from pulsar-client-all

Reply via email to