This is a Velocity issue. Spark doesn't use it, although it looks like Avro does. From reading the CVE, I do not believe it would impact Avro's usage - velocity templates it may use for codegen aren't exposed that I know of. Is there a known relationship to Spark here? That is the key question in security questions like this.
In any event, to pursue an update, it would likely have to start by updating Avro if it hasn't already, and if it has, pursue upgrading Avro in Spark -- if the supported Hadoop versions work with it. On Thu, May 5, 2022 at 12:32 PM Pralabh Kumar <pralabhku...@gmail.com> wrote: > Hi Dev Team > > Please let me know if there is a jira to track this CVE changes with > respect to Spark . Searched jira but couldn't find anything. > > Please help > > Regards > Pralabh Kumar >