[
https://issues.apache.org/jira/browse/FLINK-32874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17754770#comment-17754770
]
Sergey Nuyanzin edited comment on FLINK-32874 at 8/15/23 9:35 PM:
------------------------------------------------------------------
[~satanicmechanic] could you please clarify where does 3.1.9 come from?
Master depends on 3.1.10
1.17. depends on 3.0.11
Moreover description states
{quote}
If the parser runs on user-supplied input, an attacker could supply content
that causes the parser to crash due to a stack overflow.
{quote}
Janino is used only internally without exposing to user... So it is unclear how
it is possible in Flink to supply such content from user side...
Nice to have it updated however not sure that it impacts Flink.
was (Author: sergey nuyanzin):
[~satanicmechanic] could you please clarify where does 3.1.9 come from?
Master depends on 3.1.10
1.17. depends on 3.0.11
> Update Janino to current
> ------------------------
>
> Key: FLINK-32874
> URL: https://issues.apache.org/jira/browse/FLINK-32874
> Project: Flink
> Issue Type: Technical Debt
> Affects Versions: 1.17.1
> Reporter: Morey Straus
> Priority: Major
> Labels: security
>
> Janino 3.1.9 is vulnerable to CVE-2023-33546
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
