[
https://issues.apache.org/jira/browse/FLINK-32176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Flink Jira Bot updated FLINK-32176:
-----------------------------------
Labels: pull-request-available stale-assigned (was: pull-request-available)
I am the [Flink Jira Bot|https://github.com/apache/flink-jira-bot/] and I help
the community manage its development. I see this issue is assigned but has not
received an update in 30 days, so it has been labeled "stale-assigned".
If you are still working on the issue, please remove the label and add a
comment updating the community on your progress. If this issue is waiting on
feedback, please consider this a reminder to the committer/reviewer. Flink is a
very active project, and so we appreciate your patience.
If you are no longer working on the issue, please unassign yourself so someone
else may work on it.
> [CVE-2022-1471] Mitigate CVE from snakeyaml coming from pulsar-client-all
> -------------------------------------------------------------------------
>
> Key: FLINK-32176
> URL: https://issues.apache.org/jira/browse/FLINK-32176
> Project: Flink
> Issue Type: Bug
> Components: Connectors / Pulsar
> Affects Versions: 1.17.0
> Reporter: Samrat Deb
> Assignee: Samrat Deb
> Priority: Major
> Labels: pull-request-available, stale-assigned
>
>
> * *CVE ID:* {{CVE-2022-1471}}
> * *CWE:* CWE-502 Deserialization of Untrusted Data
> * {*}Severity{*}: Critical
> {{pulsar-client-all-2.10.0.jar (shaded: org.yaml:snakeyaml:1.30)}}
>
> {{SnakeYaml's Constructor() class does not restrict types which can be
> instantiated during deserialization. Deserializing yaml content provided by
> an attacker can lead to remote code execution. We recommend using SnakeYaml's
> SafeConsturctor when parsing untrusted content to restrict deserialization.}}
> {{}}
> {{More details : https://nvd.nist.gov/vuln/detail/CVE-2022-1471}}
> {{{}{}}}{{{}{}}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
