[jira] [Updated] (SPARK-54715) Request to patch dependencies to fix critical CVEs

Andreas Thum (Jira) Tue, 16 Dec 2025 02:20:06 -0800


     [ 
https://issues.apache.org/jira/browse/SPARK-54715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Andreas Thum updated SPARK-54715:
---------------------------------
    Description: 
Our security scanner finds the following critical vulnerabilities in our spark 
container image.

Is it possible for you to upgrade the dependencies to the fixed versions?

Thank you!

 

*Spark 4.0.1*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD: 
9.8|org.apache.avro_avro|1.9.2|1.11.4|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD: 
9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10, 
3.0.17,...|

I've seen that there is already a PR to fix 
[CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]: 
[#53404|https://github.com/apache/spark/pull/53404] SPARK-54649[BUILD][3.5] 
Upgrade Jersey to 2.47

 

*Spark 3.5.7*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
 3.8.3, 3.7.2|
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD: 
9.8|org.apache.avro_avro|1.7.7|1.11.4|

A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] was 
already requested in SPARK-45956 and a backport to Spark 3.X was rejected 
([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]).

  was:
 

Our security scanner finds the following critical vulnerabilities in our spark 
container image.

Is it possible for you to upgrade the dependencies to the fixed versions?

Thank you!

 

*Spark 4.0.1*

 

 
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD: 
9.8|org.apache.avro_avro|1.9.2|1.11.4|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD: 
9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10, 
3.0.17,...|

 

 

I've seen that there is already a PR to fix 
[CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]: 
[#53404|https://github.com/apache/spark/pull/53404] [SPARK-54649][BUILD][3.5] 
Upgrade Jersey to 2.47

 

*Spark 3.5.7*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
 3.8.3, 3.7.2|
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD: 
9.8|org.apache.avro_avro|1.7.7|1.11.4|

A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] was 
already requested in SPARK-45956 and a backport to Spark 3.X was rejected 
([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]).


> Request to patch dependencies to fix critical CVEs
> --------------------------------------------------
>
>                 Key: SPARK-54715
>                 URL: https://issues.apache.org/jira/browse/SPARK-54715
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Security
>    Affects Versions: 4.0.1, 3.5.7
>            Reporter: Andreas Thum
>            Priority: Major
>              Labels: security
>
> Our security scanner finds the following critical vulnerabilities in our 
> spark container image.
> Is it possible for you to upgrade the dependencies to the fixed versions?
> Thank you!
>  
> *Spark 4.0.1*
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
>  9.8|org.apache.avro_avro|1.9.2|1.11.4|
> |[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
>  9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10, 
> 3.0.17,...|
> I've seen that there is already a PR to fix 
> [CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]: 
> [#53404|https://github.com/apache/spark/pull/53404] SPARK-54649[BUILD][3.5] 
> Upgrade Jersey to 2.47
>  
> *Spark 3.5.7*
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
> |[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
>  3.8.3, 3.7.2|
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
>  9.8|org.apache.avro_avro|1.7.7|1.11.4|
> A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] 
> was already requested in SPARK-45956 and a backport to Spark 3.X was rejected 
> ([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (SPARK-54715) Request to patch dependencies to fix critical CVEs

Reply via email to