[
https://issues.apache.org/jira/browse/SPARK-49897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17887393#comment-17887393
]
Jota Martos commented on SPARK-49897:
-------------------------------------
I can see the client libraries were updated for Spark 4.0 but do not know if
it'll be backported to 3.5. Thanks
> Bump Hadoop libraries to to 3.3.9
> ---------------------------------
>
> Key: SPARK-49897
> URL: https://issues.apache.org/jira/browse/SPARK-49897
> Project: Spark
> Issue Type: Task
> Components: Security, Spark Core
> Affects Versions: 3.4.3, 3.5.3
> Reporter: Jota Martos
> Priority: Major
>
> CVE-2024-47554 is fixed in that version of the library. Could please you
> confirm whether Spark is affected by this vulnerability and if so, are there
> any plans to update the dependency?
> {code}
> │ commons-io:commons-io (hadoop-client-runtime-3.3.4.jar) │
> CVE-2024-47554 │ HIGH │ │ 2.8.0 │ 2.14.0
> │ apache-commons-io: Possible denial of service
> attack on │
> │ │
> │ │ │ │
> │ untrusted input to XmlStreamReader
> │
> │ │
> │ │ │ │
> │ https://avd.aquasec.com/nvd/cve-2024-47554
> │
> {code}
> h4. Steps to reproduce
> {code}
> trivy image spark
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
