Jota Martos created SPARK-49897:
-----------------------------------
Summary: Bump Hadoop libraries to to 3.3.9
Key: SPARK-49897
URL: https://issues.apache.org/jira/browse/SPARK-49897
Project: Spark
Issue Type: Task
Components: Security, Spark Core
Affects Versions: 3.5.3, 3.4.3
Reporter: Jota Martos
CVE-2024-47554 is fixed in that version of the library. Could please you
confirm whether Spark is affected by this vulnerability and if so, are there
any plans to update the dependency?
{code}
│ commons-io:commons-io (hadoop-client-runtime-3.3.4.jar) │ CVE-2024-47554
│ HIGH │ │ 2.8.0 │ 2.14.0
│ apache-commons-io: Possible denial of service attack on │
│ │
│ │ │ │
│ untrusted input to XmlStreamReader │
│ │
│ │ │ │
│ https://avd.aquasec.com/nvd/cve-2024-47554 │
{code}
h4. Steps to reproduce
{code}
trivy image spark
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
