[jira] [Updated] (SPARK-54716) CVEs in Spark dependencies

Andreas Thum (Jira) Tue, 16 Dec 2025 04:22:10 -0800


     [ 
https://issues.apache.org/jira/browse/SPARK-54716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Andreas Thum updated SPARK-54716:
---------------------------------
    Description: 
Our security scanner finds the following critical vulnerabilities in our spark 
container image.

Is it possible for you to upgrade the dependencies to the fixed versions?

Thank you!

 

 
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in 
version||Related issues||Comments||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD: 
9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see, 
Spark 4.0.1 already uses Avro 1.12.0. Is this correct? Are multiple versions in 
use?|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD: 
9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10, 
3.0.17,...|SPARK-54649| |
|[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
 7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| |False positive? As 
far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this 
correct? Are multiple versions in use?|
|[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
 positive? (see above)|
|[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD: 
8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
|[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
 |False positive? (see above)|
|[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD: 
7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| |False positive? 
Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0 (SPARK-47269)? 
Are multiple versions in use (see below)?|
|[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
 4.1.124.final|SPARK-53436|Will be fixed in Spark 4.1.0|
|[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
 |SPARK-30466, SPARK-33734| |
|[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
 |SPARK-30466| |
|[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD: 
6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24, 
10.0.24,...|SPARK-47269|False positive? Shouldn't Jetty already be upgraded to 
11.0.20 in Spark 4.0.0 (SPARK-47269)? Are multiple versions in use (see below)?|
|[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD: 
5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
|[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD: 
4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| | |
|[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD: 
5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
|[CVE-2024-9823|https://nvd.nist.gov/vuln/detail/CVE-2024-9823]|Medium|NVD: 
7.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.3, 11.0.18, 10.0.18,...| 
|False positive? Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0 
(SPARK-47269)? Are multiple versions in use (see below)?|
|[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057]|Medium|NVD: 
6.9|io.netty_netty-codec|4.1.118.Final|4.1.125.final|SPARK-53494|Will be fixed 
in Spark 4.1.0|
|[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056]|Medium|NVD: 
8.2|io.netty_netty-codec-http|4.1.118.Final|4.2.5.final, 
4.1.125.final|SPARK-53494|Will be fixed in Spark 4.1.0|
|[CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735]|Medium|NVD: 
6.5|io.netty_netty-codec-http|4.1.118.Final|4.2.8.final, 4.1.129.final| | |
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD: 
3.7|org.eclipse.jetty_jetty-http|9.4.53.v20231009|12.0.12|SPARK-51859, 
SPARK-53757|Are two different versions of Jetty used in Spark?|
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD: 
3.7|org.eclipse.jetty_jetty-http|11.0.24|12.0.12|SPARK-51859, SPARK-53757|Are 
two different versions of Jetty used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
6.5|commons-lang_commons-lang|2.6| |SPARK-53819|Are three different versions of 
commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
6.5|org.apache.commons_commons-lang3|3.12.0| 3.18.0|SPARK-53819|Are three 
different versions of commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
6.5|org.apache.commons_commons-lang3|3.17.0| 3.18.0|SPARK-53819|Are three 
different versions of commons-lang used in Spark?|

 

 

  was:
Our security scanner finds the following critical vulnerabilities in our spark 
container image.

Is it possible for you to upgrade the dependencies to the fixed versions?

Thank you!

 

 
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in 
version||Related issues||Comments||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD: 
9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see, 
Spark 4.0.1 already uses Avro 1.12.0. Is this correct? Are multiple versions in 
use?|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD: 
9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10, 
3.0.17,...|SPARK-54649| |
|[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
 7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| |False positive? As 
far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this 
correct? Are multiple versions in use?|
|[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
 positive? (see above)|
|[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD: 
8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
|[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
 |False positive? (see above)|
|[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD: 
7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| |False positive?|
|[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
 4.1.124.final|SPARK-53436|Will be fixed in Spark 4.1.0|
|[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
 |SPARK-30466, SPARK-33734| |
|[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
 |SPARK-30466| |
|[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD: 
6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24, 
10.0.24,...|SPARK-47269|False positive?|
|[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD: 
5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
|[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD: 
4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| | |
|[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD: 
5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
|[CVE-2024-9823|https://nvd.nist.gov/vuln/detail/CVE-2024-9823]|Medium|NVD: 
7.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.3, 11.0.18, 10.0.18,...| | 
|
|[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057]|Medium|NVD: 
6.9|io.netty_netty-codec|4.1.118.Final|4.1.125.final|SPARK-53494|Will be fixed 
in Spark 4.1.0|
|[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056]|Medium|NVD: 
8.2|io.netty_netty-codec-http|4.1.118.Final|4.2.5.final, 
4.1.125.final|SPARK-53494|Will be fixed in Spark 4.1.0|
|[CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735]|Medium|NVD: 
6.5|io.netty_netty-codec-http|4.1.118.Final|4.2.8.final, 4.1.129.final| | |
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD: 
3.7|org.eclipse.jetty_jetty-http|9.4.53.v20231009|12.0.12|SPARK-51859, 
SPARK-53757|Are two different versions of Jetty used in Spark? (see below)|
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD: 
3.7|org.eclipse.jetty_jetty-http|11.0.24|12.0.12|SPARK-51859, SPARK-53757|Are 
two different versions of Jetty used in Spark? (see above)|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
6.5|commons-lang_commons-lang|2.6| |SPARK-53819|Are three different versions of 
commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
6.5|org.apache.commons_commons-lang3|3.12.0| 3.18.0|SPARK-53819|Are three 
different versions of commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
6.5|org.apache.commons_commons-lang3|3.17.0| 3.18.0|SPARK-53819|Are three 
different versions of commons-lang used in Spark?|

 

 


> CVEs in Spark dependencies
> --------------------------
>
>                 Key: SPARK-54716
>                 URL: https://issues.apache.org/jira/browse/SPARK-54716
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Security
>    Affects Versions: 4.0.1
>            Reporter: Andreas Thum
>            Priority: Major
>              Labels: security
>
> Our security scanner finds the following critical vulnerabilities in our 
> spark container image.
> Is it possible for you to upgrade the dependencies to the fixed versions?
> Thank you!
>  
>  
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in 
> version||Related issues||Comments||
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
>  9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see, 
> Spark 4.0.1 already uses Avro 1.12.0. Is this correct? Are multiple versions 
> in use?|
> |[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
>  9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10, 
> 3.0.17,...|SPARK-54649| |
> |[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
>  7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| |False positive? 
> As far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this 
> correct? Are multiple versions in use?|
> |[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
>  positive? (see above)|
> |[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD: 
> 8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
> |[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
>  |False positive? (see above)|
> |[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD: 
> 7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| |False positive? 
> Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0 (SPARK-47269)? 
> Are multiple versions in use (see below)?|
> |[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
>  4.1.124.final|SPARK-53436|Will be fixed in Spark 4.1.0|
> |[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
>  |SPARK-30466, SPARK-33734| |
> |[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
>  |SPARK-30466| |
> |[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD: 
> 6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24, 
> 10.0.24,...|SPARK-47269|False positive? Shouldn't Jetty already be upgraded 
> to 11.0.20 in Spark 4.0.0 (SPARK-47269)? Are multiple versions in use (see 
> below)?|
> |[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD: 
> 5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
> |[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD: 
> 4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| | |
> |[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD: 
> 5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
> |[CVE-2024-9823|https://nvd.nist.gov/vuln/detail/CVE-2024-9823]|Medium|NVD: 
> 7.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.3, 11.0.18, 10.0.18,...| 
> |False positive? Shouldn't Jetty already be upgraded to 11.0.20 in Spark 
> 4.0.0 (SPARK-47269)? Are multiple versions in use (see below)?|
> |[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057]|Medium|NVD: 
> 6.9|io.netty_netty-codec|4.1.118.Final|4.1.125.final|SPARK-53494|Will be 
> fixed in Spark 4.1.0|
> |[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056]|Medium|NVD: 
> 8.2|io.netty_netty-codec-http|4.1.118.Final|4.2.5.final, 
> 4.1.125.final|SPARK-53494|Will be fixed in Spark 4.1.0|
> |[CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735]|Medium|NVD: 
> 6.5|io.netty_netty-codec-http|4.1.118.Final|4.2.8.final, 4.1.129.final| | |
> |[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD: 
> 3.7|org.eclipse.jetty_jetty-http|9.4.53.v20231009|12.0.12|SPARK-51859, 
> SPARK-53757|Are two different versions of Jetty used in Spark?|
> |[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD: 
> 3.7|org.eclipse.jetty_jetty-http|11.0.24|12.0.12|SPARK-51859, SPARK-53757|Are 
> two different versions of Jetty used in Spark?|
> |[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
> 6.5|commons-lang_commons-lang|2.6| |SPARK-53819|Are three different versions 
> of commons-lang used in Spark?|
> |[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
> 6.5|org.apache.commons_commons-lang3|3.12.0| 3.18.0|SPARK-53819|Are three 
> different versions of commons-lang used in Spark?|
> |[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD: 
> 6.5|org.apache.commons_commons-lang3|3.17.0| 3.18.0|SPARK-53819|Are three 
> different versions of commons-lang used in Spark?|
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (SPARK-54716) CVEs in Spark dependencies

Reply via email to