[
https://issues.apache.org/jira/browse/SPARK-43864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727147#comment-17727147
]
Sean R. Owen commented on SPARK-43864:
--------------------------------------
Please, when reporting CVE-related issues, make the case that this affects
Spark at all. Does it? this is a test-scoped dependency. The htmlunit
dependency comes from 3rd party libs, not Spark. You would want to just try
changing the handling of these deps to see if removing this even means the
net.sourceforge dep is unused. But, does this matter?
> Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before
> 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SPARK-43864
> URL: https://issues.apache.org/jira/browse/SPARK-43864
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 3.4.0
> Reporter: gaoyajun02
> Priority: Major
>
> CVE-2023-26119 Detail: [https://nvd.nist.gov/vuln/detail/CVE-2023-26119]
> It is recommended to replace 'net.sourceforge.htmlunit'' by 'org.htmlunit' in
> spark
> {code:java}
> <dependency>
> <groupId>org.htmlunit</groupId>
> <artifactId>htmlunit</artifactId>
> <scope>test</scope>
> </dependency>
> <dependency>
> <groupId>org.htmlunit</groupId>
> <artifactId>htmlunit-core-js</artifactId>
> <scope>test</scope>
> </dependency> {code}
> see: [https://www.htmlunit.org/migration.html]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
