Re: High/Critical CVEs in jackson-mapper-asl (spark 3.5.5)

Tue, 18 Mar 2025 08:58:20 -0700 

Seems like the Jackson version hasn't changed since Spark 1.4 (pom.xml
<https://github.com/apache/spark/blob/branch-1.4/pom.xml>). Even Spark 4 is
still using this super old (2013) version. Maybe it's time ...

El mar, 18 mar 2025 a las 16:05, Mohammad, Ejas Ali
(<ejas.ali.moham...@accenture.com.invalid>) escribió:

> Hi Spark Community,
>
>
>
> I hope you are doing well.
>
> We have identified high and critical CVEs related to the
> jackson-mapper-asl package used in Apache Spark 3.5.5. We would like to
> understand if there are any official fixes or recommended mitigation steps
> available for these vulnerabilities.
>
>
>
> | CVE ID         | Severity   | Packages           | Package Version   |
> Package Path                                  |
>
>
> |:---------------|:-----------|:-------------------|:------------------|:----------------------------------------------|
>
> | CVE-2019-10202 | critical   | jackson-mapper-asl | 1.9.13            |
> /opt/spark/jars/jackson-mapper-asl-1.9.13.jar |
>
> | CVE-2019-10172 | high       | jackson-mapper-asl | 1.9.13            |
> /opt/spark/jars/jackson-mapper-asl-1.9.13.jar |
>
>
>
> Could you please confirm:
>
> If a patched version of Spark or a workaround exists to address these
> vulnerabilities?
>
> If there are any plans to remove or replace jackson-mapper-asl in upcoming
> releases?
>
>
>
> Looking forward to your response.
>
>
>
> Best regards,
>
> Ejas Ali
>
>
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security, AI-powered support
> capabilities, and assessment of internal compliance with Accenture policy.
> Your privacy is important to us. Accenture uses your personal data only in
> compliance with data protection laws. For further information on how
> Accenture processes your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>

Reply via email to