[
https://issues.apache.org/jira/browse/SPARK-43864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727827#comment-17727827
]
gaoyajun02 commented on SPARK-43864:
------------------------------------
@[~srowen] thank you for your reply,It doesn't matter for spark, but it will
affect some users who use community spark to package or deploy.
Some companies that pay more attention to security will disable these packages
with security vulnerabilities.
The implementation is to check dependencies during the packaging process. Once
a dependency is introduced, it will prevent release and deployment, regardless
of whether it is in the test scope.
> Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before
> 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SPARK-43864
> URL: https://issues.apache.org/jira/browse/SPARK-43864
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 3.4.0
> Reporter: gaoyajun02
> Priority: Minor
>
> CVE-2023-26119 Detail: [https://nvd.nist.gov/vuln/detail/CVE-2023-26119]
> It is recommended to replace 'net.sourceforge.htmlunit'' by 'org.htmlunit' in
> spark
> {code:java}
> <dependency>
> <groupId>org.htmlunit</groupId>
> <artifactId>htmlunit</artifactId>
> <scope>test</scope>
> </dependency>
> <dependency>
> <groupId>org.htmlunit</groupId>
> <artifactId>htmlunit-core-js</artifactId>
> <scope>test</scope>
> </dependency> {code}
> see: [https://www.htmlunit.org/migration.html]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
