[
https://issues.apache.org/jira/browse/SPARK-54716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andreas Thum updated SPARK-54716:
---------------------------------
Description:
Our security scanner finds the following critical vulnerabilities in our spark
container image.
Is it possible for you to upgrade the dependencies to the fixed versions?
Thank you!
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in
version||Related issues||Comments||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see,
Spark 4.0.1 already uses Avro 1.12.0. Is this correct? Are multiple versions in
use?|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10,
3.0.17,...|SPARK-54649| |
|[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| |False positive? As
far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this
correct? Are multiple versions in use?|
|[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
positive? (see above)|
|[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD:
8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
|[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
|False positive? (see above)|
|[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD:
7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| |False positive?
Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0 (SPARK-47269)?
Are multiple versions in use (see below)?|
|[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
4.1.124.final|SPARK-53436|Will be fixed in Spark 4.1.0|
|[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
|SPARK-30466, SPARK-33734| |
|[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
|SPARK-30466| |
|[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD:
6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24,
10.0.24,...|SPARK-47269|False positive? Shouldn't Jetty already be upgraded to
11.0.20 in Spark 4.0.0 (SPARK-47269)? Are multiple versions in use (see below)?|
|[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD:
5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
|[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD:
4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| |False positive? As
far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this
correct? Are multiple versions in use?|
|[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD:
5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
|[CVE-2024-9823|https://nvd.nist.gov/vuln/detail/CVE-2024-9823]|Medium|NVD:
7.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.3, 11.0.18, 10.0.18,...|
|False positive? Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0
(SPARK-47269)? Are multiple versions in use (see below)?|
|[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057]|Medium|NVD:
6.9|io.netty_netty-codec|4.1.118.Final|4.1.125.final|SPARK-53494|Will be fixed
in Spark 4.1.0|
|[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056]|Medium|NVD:
8.2|io.netty_netty-codec-http|4.1.118.Final|4.2.5.final,
4.1.125.final|SPARK-53494|Will be fixed in Spark 4.1.0|
|[CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735]|Medium|NVD:
6.5|io.netty_netty-codec-http|4.1.118.Final|4.2.8.final, 4.1.129.final| | |
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD:
3.7|org.eclipse.jetty_jetty-http|9.4.53.v20231009|12.0.12|SPARK-51859,
SPARK-53757|Are two different versions of Jetty used in Spark?|
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD:
3.7|org.eclipse.jetty_jetty-http|11.0.24|12.0.12|SPARK-51859, SPARK-53757|Are
two different versions of Jetty used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
6.5|commons-lang_commons-lang|2.6| |SPARK-53819|Are three different versions of
commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
6.5|org.apache.commons_commons-lang3|3.12.0| 3.18.0|SPARK-53819|Are three
different versions of commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
6.5|org.apache.commons_commons-lang3|3.17.0| 3.18.0|SPARK-53819|Are three
different versions of commons-lang used in Spark?|
was:
Our security scanner finds the following critical vulnerabilities in our spark
container image.
Is it possible for you to upgrade the dependencies to the fixed versions?
Thank you!
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in
version||Related issues||Comments||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see,
Spark 4.0.1 already uses Avro 1.12.0. Is this correct? Are multiple versions in
use?|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10,
3.0.17,...|SPARK-54649| |
|[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| |False positive? As
far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this
correct? Are multiple versions in use?|
|[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
positive? (see above)|
|[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD:
8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
|[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
|False positive? (see above)|
|[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD:
7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| |False positive?
Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0 (SPARK-47269)?
Are multiple versions in use (see below)?|
|[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
4.1.124.final|SPARK-53436|Will be fixed in Spark 4.1.0|
|[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
|SPARK-30466, SPARK-33734| |
|[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
|SPARK-30466| |
|[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD:
6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24,
10.0.24,...|SPARK-47269|False positive? Shouldn't Jetty already be upgraded to
11.0.20 in Spark 4.0.0 (SPARK-47269)? Are multiple versions in use (see below)?|
|[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD:
5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
|[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD:
4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| | |
|[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD:
5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
|[CVE-2024-9823|https://nvd.nist.gov/vuln/detail/CVE-2024-9823]|Medium|NVD:
7.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.3, 11.0.18, 10.0.18,...|
|False positive? Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0
(SPARK-47269)? Are multiple versions in use (see below)?|
|[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057]|Medium|NVD:
6.9|io.netty_netty-codec|4.1.118.Final|4.1.125.final|SPARK-53494|Will be fixed
in Spark 4.1.0|
|[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056]|Medium|NVD:
8.2|io.netty_netty-codec-http|4.1.118.Final|4.2.5.final,
4.1.125.final|SPARK-53494|Will be fixed in Spark 4.1.0|
|[CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735]|Medium|NVD:
6.5|io.netty_netty-codec-http|4.1.118.Final|4.2.8.final, 4.1.129.final| | |
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD:
3.7|org.eclipse.jetty_jetty-http|9.4.53.v20231009|12.0.12|SPARK-51859,
SPARK-53757|Are two different versions of Jetty used in Spark?|
|[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD:
3.7|org.eclipse.jetty_jetty-http|11.0.24|12.0.12|SPARK-51859, SPARK-53757|Are
two different versions of Jetty used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
6.5|commons-lang_commons-lang|2.6| |SPARK-53819|Are three different versions of
commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
6.5|org.apache.commons_commons-lang3|3.12.0| 3.18.0|SPARK-53819|Are three
different versions of commons-lang used in Spark?|
|[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
6.5|org.apache.commons_commons-lang3|3.17.0| 3.18.0|SPARK-53819|Are three
different versions of commons-lang used in Spark?|
> CVEs in Spark dependencies
> --------------------------
>
> Key: SPARK-54716
> URL: https://issues.apache.org/jira/browse/SPARK-54716
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Security
> Affects Versions: 4.0.1
> Reporter: Andreas Thum
> Priority: Major
> Labels: security
>
> Our security scanner finds the following critical vulnerabilities in our
> spark container image.
> Is it possible for you to upgrade the dependencies to the fixed versions?
> Thank you!
>
>
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in
> version||Related issues||Comments||
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
> 9.8|org.apache.avro_avro|1.9.2|1.11.4| |False positive? As far as I can see,
> Spark 4.0.1 already uses Avro 1.12.0. Is this correct? Are multiple versions
> in use?|
> |[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
> 9.4|org.glassfish.jersey.core_jersey-client|3.0.16|4.0.0-m2, 3.1.10,
> 3.0.17,...|SPARK-54649| |
> |[PRISMA-2023-0067|https://github.com/FasterXML/jackson-core/pull/827]|High|Prisma:
> 7.5|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0| |False positive?
> As far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this
> correct? Are multiple versions in use?|
> |[CVE-2023-39410|https://nvd.nist.gov/vuln/detail/CVE-2023-39410]|High|N/A|org.apache.avro_avro|1.9.2|1.11.3|SPARK-49550|False
> positive? (see above)|
> |[CVE-2025-48734|https://nvd.nist.gov/vuln/detail/CVE-2025-48734]|High|NVD:
> 8.8|commons-beanutils_commons-beanutils|1.9.4|1.11.0| | |
> |[CVE-2025-52999|https://nvd.nist.gov/vuln/detail/CVE-2025-52999]|High|N/A|com.fasterxml.jackson.core_jackson-core|2.12.7|2.15.0|
> |False positive? (see above)|
> |[CVE-2024-13009|https://nvd.nist.gov/vuln/detail/CVE-2024-13009]|High|NVD:
> 7.2|org.eclipse.jetty_jetty-io|9.4.53.v20231009| 9.4.57| |False positive?
> Shouldn't Jetty already be upgraded to 11.0.20 in Spark 4.0.0 (SPARK-47269)?
> Are multiple versions in use (see below)?|
> |[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]|High|N/A|io.netty_netty-codec-http2|4.1.118.Final|4.2.4.final,
> 4.1.124.final|SPARK-53436|Will be fixed in Spark 4.1.0|
> |[CVE-2019-10172|https://nvd.nist.gov/vuln/detail/CVE-2019-10172]|Medium|N/A|jackson-mapper-asl|1.9.13|
> |SPARK-30466, SPARK-33734| |
> |[CVE-2019-10202|https://nvd.nist.gov/vuln/detail/CVE-2019-10202]|Medium|N/A|jackson-mapper-asl|1.9.13|
> |SPARK-30466| |
> |[CVE-2024-8184|https://nvd.nist.gov/vuln/detail/CVE-2024-8184]|Medium|NVD:
> 6.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.9, 11.0.24,
> 10.0.24,...|SPARK-47269|False positive? Shouldn't Jetty already be upgraded
> to 11.0.20 in Spark 4.0.0 (SPARK-47269)? Are multiple versions in use (see
> below)?|
> |[CVE-2024-29869|https://nvd.nist.gov/vuln/detail/CVE-2024-29869]|Medium|NVD:
> 5.5|org.apache.hive_hive-exec|2.3.10|4.0.1| | |
> |[CVE-2025-49128|https://nvd.nist.gov/vuln/detail/CVE-2025-49128]|Medium|NVD:
> 4|com.fasterxml.jackson.core_jackson-core|2.12.7|2.13.0| |False positive? As
> far as I can see, Spark 4.0.1 already uses Jackson-Core 2.18.2. Is this
> correct? Are multiple versions in use?|
> |[CVE-2025-53864|https://nvd.nist.gov/vuln/detail/CVE-2025-53864]|Medium|NVD:
> 5.8|com.nimbusds_nimbus-jose-jwt|9.37.2|10.0.2| | |
> |[CVE-2024-9823|https://nvd.nist.gov/vuln/detail/CVE-2024-9823]|Medium|NVD:
> 7.5|org.eclipse.jetty_jetty-io|9.4.53.v20231009|12.0.3, 11.0.18, 10.0.18,...|
> |False positive? Shouldn't Jetty already be upgraded to 11.0.20 in Spark
> 4.0.0 (SPARK-47269)? Are multiple versions in use (see below)?|
> |[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057]|Medium|NVD:
> 6.9|io.netty_netty-codec|4.1.118.Final|4.1.125.final|SPARK-53494|Will be
> fixed in Spark 4.1.0|
> |[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056]|Medium|NVD:
> 8.2|io.netty_netty-codec-http|4.1.118.Final|4.2.5.final,
> 4.1.125.final|SPARK-53494|Will be fixed in Spark 4.1.0|
> |[CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735]|Medium|NVD:
> 6.5|io.netty_netty-codec-http|4.1.118.Final|4.2.8.final, 4.1.129.final| | |
> |[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD:
> 3.7|org.eclipse.jetty_jetty-http|9.4.53.v20231009|12.0.12|SPARK-51859,
> SPARK-53757|Are two different versions of Jetty used in Spark?|
> |[CVE-2024-6763|https://nvd.nist.gov/vuln/detail/CVE-2024-6763]|Low|NVD:
> 3.7|org.eclipse.jetty_jetty-http|11.0.24|12.0.12|SPARK-51859, SPARK-53757|Are
> two different versions of Jetty used in Spark?|
> |[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
> 6.5|commons-lang_commons-lang|2.6| |SPARK-53819|Are three different versions
> of commons-lang used in Spark?|
> |[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
> 6.5|org.apache.commons_commons-lang3|3.12.0| 3.18.0|SPARK-53819|Are three
> different versions of commons-lang used in Spark?|
> |[CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]|Low|NVD:
> 6.5|org.apache.commons_commons-lang3|3.17.0| 3.18.0|SPARK-53819|Are three
> different versions of commons-lang used in Spark?|
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
