You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Sean R. Owen (Jira)" <ji...@apache.org> on 2021/07/20 16:44:00 UTC
[jira] [Commented] (SPARK-35519) Critical Vulnerabilities:
nimbusds_nimbus-jose-jwt 4.41.1 shipped
[ https://issues.apache.org/jira/browse/SPARK-35519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384394#comment-17384394 ]
Sean R. Owen commented on SPARK-35519:
--------------------------------------
We generally do not accept reports like "my static analyzer flagged this" without more info. Does this affect Spark? This also does not come in from Spark itself, so typically it means another library we depend on needs it - the update should ideally go there. We can manually manage up packages, but would do so only if there were any plausible theory that it affects Spark.
> Critical Vulnerabilities: nimbusds_nimbus-jose-jwt 4.41.1 shipped
> -----------------------------------------------------------------
>
> Key: SPARK-35519
> URL: https://issues.apache.org/jira/browse/SPARK-35519
> Project: Spark
> Issue Type: Bug
> Components: Build
> Affects Versions: 3.0.2
> Reporter: Louis DEFLANDRE
> Priority: Major
>
> Vulnerabilities scanner is highlighting following CRITICAL vulnerabilities in {{spark-3.0.2-bin-hadoop3.2}} coming from obsolete {{nimbus-jose-jwt}} {{4.41.1}} :
> * [CVE-2019-17195|https://nvd.nist.gov/vuln/detail/CVE-2019-17195]
> This package is shipped within {{jars/nimbus-jose-jwt-4.41.1.jar}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org