Details
-
Dependency upgrade
-
Status: Resolved
-
Critical
-
Resolution: Invalid
-
3.2.1
-
None
-
None
-
Patch, Important
Description
There are numerous vulnerabilities in spark-sql Java library.
Can we pls upgrade the transitive dependencies to mitigate these vulnerabilities.
Maven Dependency
<dependency>
<groupId>org.apache.spark</groupId>
<artifactId>spark-sql_2.13</artifactId>
<version>3.2.1</version>
</dependency>
Vulnerabilities
Found 17 vulnerabilities (12 High, 4 Medium, 1 Low)
---------------------------------------------------------------
| SEVERITY | LIBRARY | ID |
|---------- | ----------------------------- | ----------------|
| HIGH | commons-compress-1.20.jar | CVE-2021-35515 |
|---------- | ----------------------------- | ----------------|
| HIGH | commons-compress-1.20.jar | CVE-2021-35516 |
|---------- | ----------------------------- | ----------------|
| HIGH | commons-compress-1.20.jar | CVE-2021-35517 |
|---------- | ----------------------------- | ----------------|
| HIGH | commons-compress-1.20.jar | CVE-2021-36090 |
|---------- | ----------------------------- | ----------------|
| HIGH | gson-2.8.6.jar | WS-2021-0419 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |
|---------- | ----------------------------- | ----------------|
| HIGH | netty-all-4.1.68.Final.jar | WS-2020-0408 |
|---------- | ----------------------------- | ----------------|
| MEDIUM | jackson-core-2.12.3.jar | WS-2021-0616 |
|---------- | ----------------------------- | ----------------|
| MEDIUM | jackson-databind-2.12.3.jar | WS-2021-0616 |
|---------- | ----------------------------- | ----------------|
| MEDIUM | netty-all-4.1.68.Final.jar | CVE-2021-43797 |
|---------- | ----------------------------- | ----------------|
| MEDIUM | protobuf-java-2.5.0.jar | CVE-2021-22569 |
|---------- | ----------------------------- | ----------------|
| LOW | log4j-1.2.17.jar | CVE-2020-9488 |
---------------------------------------------------------------