Skip to content
This repository has been archived by the owner on Dec 14, 2022. It is now read-only.

[BUG] Fix CVE issues #79

Closed
sijie opened this issue May 25, 2020 · 1 comment · Fixed by #81
Closed

[BUG] Fix CVE issues #79

sijie opened this issue May 25, 2020 · 1 comment · Fixed by #81
Assignees
@jiazhai
Labels
triage/week-22 type/bug

Comments

@sijie
Copy link
Member

sijie commented May 25, 2020

Priority Category FileName
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-transport-native-epoll:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-transport-native-unix-common:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-transport:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-codec-dns:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-buffer:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-codec:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-handler:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-resolver:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-common:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-codec-http:4.1.45.Final)
Critical CWE-119 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2020-11612 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-resolver-dns:4.1.45.Final)
High CWE-20 Improper Input Validation: CVE-2015-2156 pulsar-flink-connector_2.11-2.4.12.jar (shaded: com.typesafe.netty:netty-reactive-streams:2.0.0)
High CWE-20 Improper Input Validation: CVE-2015-2156 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.26.Final)
Medium CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'): CVE-2019-20445 pulsar-flink-connector_2.11-2.4.12.jar (shaded: com.typesafe.netty:netty-reactive-streams:2.0.0)
Medium CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'): CVE-2019-20444 pulsar-flink-connector_2.11-2.4.12.jar (shaded: com.typesafe.netty:netty-reactive-streams:2.0.0)
Medium CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'): CVE-2019-16869 pulsar-flink-connector_2.11-2.4.12.jar (shaded: com.typesafe.netty:netty-reactive-streams:2.0.0)
Medium CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2014-3488 pulsar-flink-connector_2.11-2.4.12.jar (shaded: com.typesafe.netty:netty-reactive-streams:2.0.0)
Medium CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'): CVE-2019-20445 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.26.Final)
Medium CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'): CVE-2019-20444 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.26.Final)
Medium CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'): CVE-2019-16869 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.26.Final)
Medium CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: CVE-2014-3488 pulsar-flink-connector_2.11-2.4.12.jar (shaded: io.netty:netty-tcnative-boringssl-static:2.0.26.Final)
@jiazhai
Copy link
Contributor

jiazhai commented May 25, 2020

Seems all related to netty verison update.

@jiazhai jiazhai mentioned this issue May 25, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jiazhai jiazhai

Labels
triage/week-22 type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update to dep pulsar 2.5.2 streamnative/pulsar-flink
2 participants
@sijie @jiazhai