Andreas Thum created SPARK-54716:
------------------------------------
Summary: CVEs in Spark dependencies
Key: SPARK-54716
URL: https://issues.apache.org/jira/browse/SPARK-54716
Project: Spark
Issue Type: Dependency upgrade
Components: Security
Affects Versions: 4.0.1
Reporter: Andreas Thum
Our security scanner finds the following critical vulnerabilities in our spark
container image.
Is it possible for you to upgrade the dependencies to the fixed versions?
Thank you!
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in
version||Related issues||Comments||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see,
Spark 4.0.1 already uses Avro 1.12.0|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10,
3.0.17,...|SPARK-54649| |
|[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| | |
|[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
positive? (see above)|
|[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD:
8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
|[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
| |
|[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD:
7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| | |
|[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
4.1.124.final|SPARK-53436| |
|[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
|SPARK-30466, SPARK-33734| |
|[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
|SPARK-30466| |
|[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD:
6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24,
10.0.24,...|SPARK-47269|False positive? Should have been resolved in Spark
4.0.0|
|[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD:
5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
|[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD:
4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| | |
|[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD:
5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
