[
https://issues.apache.org/jira/browse/HADOOP-19910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18086297#comment-18086297
]
PJ Fanning commented on HADOOP-19910:
-------------------------------------
Hadoop uses Jetty 9.4 but there is no release greater than 9.4.58 despite what
the CVE says
> Upgrade Jetty from 9.4.58 to 9.4.60+ to fix CVE-2026-2332 (HTTP Request
> Smuggling)
> ----------------------------------------------------------------------------------
>
> Key: HADOOP-19910
> URL: https://issues.apache.org/jira/browse/HADOOP-19910
> Project: Hadoop Common
> Issue Type: Bug
> Components: hadoop-common
> Affects Versions: 3.5.0
> Reporter: Hemanath
> Priority: Major
> Fix For: 3.5.0
>
>
> When we scan our Docker images that has pyspark and
> hadoop-client-runtime-3.5.0.jar using Trivy Security scanner, a vulnerability
> (CVE-2026-2332) is being flagged for library org.eclipse.jetty:jetty-http
> 9.4.58.v20250814 with high severity. hadoop-client-runtime-3.5.0.jar is using
> this version. The trivy report is shown below:
> |*Library*|*Vulnerability*|*Severity*|*Status*|*Installed Version*|*Fixed
> Version*|
> |org.eclipse.jetty:jetty-http
> (hadoop-client-runtime-3.5.0.jar)|CVE-2026-2332|HIGH|fixed|9.4.58.v20250814|9.4.60,
> 10.0.28, 11.0.28, 12.0.33, 12.1.7|
> We are usingĀ pyspark in our application. Hadoop-client-runtime is installed
> due to the dependency pyspark has on hadoop-client-runtime.
> Could you please upgrade jetty to any of the fixed version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
