[
https://issues.apache.org/jira/browse/FLINK-36830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903765#comment-17903765
]
Sergey Nuyanzin commented on FLINK-36830:
-----------------------------------------
Merged as
[cbe265601e56b20b12deeb111727975339f06617|https://github.com/apache/flink/commit/cbe265601e56b20b12deeb111727975339f06617]
To completely solve CVE issue also need to release flink-shaded and bump its
version
> Override json-path version used by Calcite Bridge
> -------------------------------------------------
>
> Key: FLINK-36830
> URL: https://issues.apache.org/jira/browse/FLINK-36830
> Project: Flink
> Issue Type: Improvement
> Components: Table SQL / Runtime
> Affects Versions: 2.0-preview
> Reporter: Thomas Cooper
> Priority: Major
> Labels: pull-request-available
>
> There is a high severity vulnerability
> ([CVE-2023-1370|https://nvd.nist.gov/vuln/detail/CVE-2023-1370]) in the
> {{json-path}} version used by the Calcite library (currently version 1.34)
> used in the {{flink-table-calcite-bridge}} module.
> Newer versions of Calcite update to newer versions of {{json-path}} that
> patch this vulnerability. However, updating Calcite to the latest 1.38
> version ([FLINK-36602|https://issues.apache.org/jira/browse/FLINK-36602]) is
> not straightforward and involves changes to the SQL parsing logic. Following
> [discussion|https://lists.apache.org/thread/7ogwvj5z3o176dw95145dzvlolrkyps4]
> on the dev mailing list, an incremental Calcite upgrade process is preferred.
> Therefore, we need to override the vulnerable version of {{json-path}} used
> by the {{flink-table-calcite-bridge}} module. Once
> [FLINK-36602|https://issues.apache.org/jira/browse/FLINK-36602] is
> implemented, this override can be removed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
