Hemanath created HADOOP-19910:
---------------------------------
Summary: Upgrade Jetty from 9.4.58 to 9.4.60+ to fix CVE-2026-2332
(HTTP Request Smuggling)
Key: HADOOP-19910
URL: https://issues.apache.org/jira/browse/HADOOP-19910
Project: Hadoop Common
Issue Type: Bug
Components: hadoop-common
Affects Versions: 3.5.0
Reporter: Hemanath
Fix For: 3.5.0
When we scan our Docker images that has pyspark and
hadoop-client-runtime-3.5.0.jar using Trivy Security scanner, a vulnerability
(CVE-2026-2332) is being flagged for library org.eclipse.jetty:jetty-http
9.4.58.v20250814 with high severity. hadoop-client-runtime-3.5.0.jar is using
this version. The trivy report is shown below:
|*Library*|*Vulnerability*|*Severity*|*Status*|*Installed Version*|*Fixed
Version*|
|org.eclipse.jetty:jetty-http
(hadoop-client-runtime-3.5.0.jar)|CVE-2026-2332|HIGH|fixed|9.4.58.v20250814|9.4.60,
10.0.28, 11.0.28, 12.0.33, 12.1.7|
We are usingĀ pyspark in our application. Hadoop-client-runtime is installed
due to the dependency pyspark has on hadoop-client-runtime.
Could you please upgrade jetty to any of the fixed version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
