You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dhaval Shewale (Jira)" <ji...@apache.org> on 2022/02/18 18:05:00 UTC
[jira] [Created] (SPARK-38252) Upgrade Dependencies in spark-sql library
Dhaval Shewale created SPARK-38252:
--------------------------------------
Summary: Upgrade Dependencies in spark-sql library
Key: SPARK-38252
URL: https://issues.apache.org/jira/browse/SPARK-38252
Project: Spark
Issue Type: Dependency upgrade
Components: Java API
Affects Versions: 3.2.1
Reporter: Dhaval Shewale
There are numerous vulnerabilities in *spark-sql* Java API.
Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.
+*Dependency*+
{quote}{{<dependency>}}
{{ <groupId>org.apache.spark</groupId>}}
{{ <artifactId>spark-sql_2.13</artifactId>}}
{{ <version>3.2.1</version>}}
{{</dependency>}}
{quote}
+*Vulnerabilities*+
{quote}{{Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)}}
{{*---------------------------------------------------------*}}
{{| SEVERITY | LIBRARY | ID |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | gson-2.8.6.jar | WS-2021-0419 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |}}
{{|----------|-----------------------------|----------------|}}
{{| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |}}
{{|----------|-----------------------------|----------------|}}
{{| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |}}
{{|----------|-----------------------------|----------------|}}
{{| LOW | log4j-1.2.17.jar | CVE-2020-9488 |}}
{{*---------------------------------------------------------*}}
{quote}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org