spark-sql_2.11-2.4.5.jar: 105 vulnerabilities (highest severity is: 9.8)

[mend-for-github.zerozr99.workers.dev]

Vulnerable Library - spark-sql_2.11-2.4.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.7/jackson-core-2.6.7.jar

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spark-sql_2.11 version)	Remediation Possible**	Reachability
CVE-2022-26612	Critical	9.8	Not Defined	0.2%	hadoop-common-2.6.5.jar	Transitive	N/A*	❌
CVE-2022-25168	Critical	9.8	Not Defined	2.8000002%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2022-23305	Critical	9.8	Not Defined	8.0%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2020-9493	Critical	9.8	Not Defined	0.3%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2020-9480	Critical	9.8	Not Defined	93.3%	spark-network-common_2.11-2.4.5.jar	Transitive	N/A*	❌
CVE-2019-20330	Critical	9.8	Not Defined	1.9%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-17571	Critical	9.8	Not Defined	48.5%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2019-17531	Critical	9.8	Not Defined	1.1%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2019-17267	Critical	9.8	Not Defined	1.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-14893	Critical	9.8	Not Defined	0.70000005%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-14540	Critical	9.8	Not Defined	7.1000004%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2019-14379	Critical	9.8	Not Defined	1.8%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2019-10202	Critical	9.8	Not Defined	7.2%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2018-7489	Critical	9.8	Not Defined	36.199997%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-19360	Critical	9.8	Not Defined	4.1%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-14719	Critical	9.8	Not Defined	2.2%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2018-11307	Critical	9.8	Not Defined	12.6%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2017-17485	Critical	9.8	Not Defined	79.799995%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2025-12183	Critical	9.1	Not Defined	0.2%	lz4-java-1.4.0.jar	Transitive	2.4.6	✅
CVE-2023-44981	Critical	9.1	Not Defined	0.0%	zookeeper-3.4.6.jar	Transitive	2.4.6	✅
CVE-2022-37865	Critical	9.1	Not Defined	0.4%	ivy-2.4.0.jar	Transitive	N/A*	❌
CVE-2019-20445	Critical	9.1	Not Defined	2.8000002%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2019-20444	Critical	9.1	Not Defined	11.1%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2022-33891	High	8.8	High	93.6%	spark-core_2.11-2.4.5.jar	Transitive	N/A*	❌
CVE-2022-23307	High	8.8	Not Defined	1.9%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-23302	High	8.8	Not Defined	0.70000005%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2020-9492	High	8.8	Not Defined	0.1%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2020-11113	High	8.8	Not Defined	60.7%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11112	High	8.8	Not Defined	6.8%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11111	High	8.8	Not Defined	2.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10969	High	8.8	Not Defined	1.4000001%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10673	High	8.8	Not Defined	20.5%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10672	High	8.8	Not Defined	35.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-8029	High	8.8	Not Defined	2.2%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2018-8009	High	8.8	Not Defined	10.3%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2016-6811	High	8.8	Not Defined	0.5%	hadoop-common-2.6.5.jar	Transitive	N/A*	❌
CVE-2024-36114	High	8.6	Not Defined	0.1%	aircompressor-0.10.jar	Transitive	2.4.6	✅
CVE-2022-46751	High	8.2	Not Defined	0.2%	ivy-2.4.0.jar	Transitive	2.4.6	✅
CVE-2024-25710	High	8.1	Not Defined	0.0%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2020-14195	High	8.1	Not Defined	9.5%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14062	High	8.1	Not Defined	7.7%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14061	High	8.1	Not Defined	6.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14060	High	8.1	Not Defined	8.7%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11620	High	8.1	Not Defined	2.1%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10650	High	8.1	Not Defined	8.6%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-5968	High	8.1	Not Defined	2.3%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2017-3166	High	7.8	Not Defined	0.2%	hadoop-mapreduce-client-core-2.6.5.jar	Transitive	2.4.6	✅
WS-2021-0419	High	7.7	Not Defined		gson-2.2.4.jar	Transitive	2.4.6	✅
CVE-2022-25647	High	7.7	Not Defined	2.8000002%	gson-2.2.4.jar	Transitive	2.4.6	✅
WS-2022-0468	High	7.5	Not Defined		jackson-core-2.6.7.jar	Transitive	2.4.6	✅
CVE-2025-66566	High	7.5	Not Defined		lz4-java-1.4.0.jar	Transitive	N/A*	❌
CVE-2025-58057	High	7.5	Not Defined	0.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2025-52999	High	7.5	Not Defined	0.0%	jackson-core-2.6.7.jar	Transitive	2.4.6	✅
CVE-2023-43642	High	7.5	Not Defined	0.2%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2023-39410	High	7.5	Not Defined	0.1%	avro-1.8.2.jar	Transitive	2.4.6	✅
CVE-2023-34455	High	7.5	Not Defined	0.6%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2023-26464	High	7.5	Not Defined	0.1%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-42004	High	7.5	Not Defined	0.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2022-42003	High	7.5	Not Defined	0.4%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2022-37866	High	7.5	Not Defined	1.0%	ivy-2.4.0.jar	Transitive	N/A*	❌
CVE-2021-4104	High	7.5	High	72.2%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2021-37137	High	7.5	Not Defined	2.4%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2021-37136	High	7.5	Not Defined	1.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2020-7238	High	7.5	Not Defined	0.70000005%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2020-11612	High	7.5	Not Defined	4.7%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2018-1296	High	7.5	Not Defined	0.6%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2018-12022	High	7.5	Not Defined	2.8999999%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2018-11768	High	7.5	Not Defined	1.3000001%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2017-7669	High	7.5	Not Defined	0.3%	hadoop-common-2.6.5.jar	Transitive	N/A*	❌
CVE-2012-0881	High	7.5	Not Defined	0.9%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
WS-2020-0408	High	7.4	Not Defined		netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2024-47561	High	7.3	Not Defined	0.5%	avro-1.8.2.jar	Transitive	2.4.6	✅
CVE-2017-3162	High	7.3	Not Defined	1.9%	detected in multiple dependencies	Transitive	2.4.6	✅
WS-2019-0379	Medium	6.5	Not Defined		commons-codec-1.10.jar	Transitive	N/A*	❌
CVE-2025-46392	Medium	6.5	Not Defined	0.2%	commons-configuration-1.6.jar	Transitive	2.4.6	✅
CVE-2023-34462	Medium	6.5	Not Defined	1.2%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2022-23437	Medium	6.5	Not Defined	0.1%	xercesImpl-2.9.1.jar	Transitive	N/A*	❌
CVE-2021-43797	Medium	6.5	Not Defined	0.5%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2017-15713	Medium	6.5	Not Defined	0.3%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2023-22946	Medium	6.4	Not Defined	0.3%	spark-core_2.11-2.4.5.jar	Transitive	N/A*	❌
CVE-2021-21290	Medium	6.2	Not Defined	0.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2017-3161	Medium	6.1	Not Defined	5.0%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2023-34454	Medium	5.9	Not Defined	0.6%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2023-34453	Medium	5.9	Not Defined	1.6%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2021-21409	Medium	5.9	Not Defined	2.5%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2021-21295	Medium	5.9	Not Defined	0.4%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2019-0201	Medium	5.9	Not Defined	0.2%	zookeeper-3.4.6.jar	Transitive	2.4.6	✅
CVE-2013-4002	Medium	5.9	Not Defined	1.4000001%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
CVE-2022-24823	Medium	5.5	Not Defined	0.4%	netty-all-4.1.42.Final.jar	Transitive	N/A*	❌
CVE-2018-11771	Medium	5.5	Not Defined	1.3000001%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2022-31777	Medium	5.4	Not Defined	0.1%	spark-core_2.11-2.4.5.jar	Transitive	N/A*	❌
WS-2018-0125	Medium	5.3	Not Defined		jackson-core-2.6.7.jar	Transitive	2.4.6	✅
WS-2018-0124	Medium	5.3	Not Defined		jackson-core-2.6.7.jar	Transitive	2.4.6	✅
WS-2017-3734	Medium	5.3	Not Defined		httpclient-4.2.5.jar	Transitive	2.4.6	✅
CVE-2025-48924	Medium	5.3	Not Defined	0.0%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2020-14338	Medium	5.3	Not Defined	0.6%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
CVE-2020-13956	Medium	5.3	Not Defined	0.5%	httpclient-4.2.5.jar	Transitive	2.4.6	✅
CVE-2009-2625	Medium	5.3	Not Defined	0.5%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
CVE-2014-3577	Medium	4.8	Not Defined	1.4000001%	httpclient-4.2.5.jar	Transitive	2.4.6	✅
CVE-2012-5783	Medium	4.8	Not Defined	0.6%	commons-httpclient-3.1.jar	Transitive	2.4.6	✅
CVE-2025-49128	Medium	4.0	Not Defined	0.0%	jackson-core-2.6.7.jar	Transitive	N/A*	❌
CVE-2024-23454	Medium	4.0	Not Defined	0.0%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2020-9488	Low	3.7	Not Defined	0.0%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2015-5262	Low	3.7	Not Defined	0.9%	httpclient-4.2.5.jar	Transitive	N/A*	❌
CVE-2012-6153	Low	3.7	Not Defined	1.0%	commons-httpclient-3.1.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-26612

Vulnerable Library - hadoop-common-2.6.5.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.6.5/hadoop-common-2.6.5.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-common-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

Publish Date: 2022-04-07

URL: CVE-2022-26612

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612

Release Date: 2022-04-07

Fix Resolution: org.apache.hadoop:hadoop-common:3.2.3

CVE-2022-25168

Vulnerable Library - hadoop-common-2.6.5.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.6.5/hadoop-common-2.6.5.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-common-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

Publish Date: 2022-08-04

URL: CVE-2022-25168

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.8000002%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130

Release Date: 2022-08-04

Fix Resolution (org.apache.hadoop:hadoop-common): 2.10.2

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23305

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 8.0%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2020-9493

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2020-9480

Vulnerable Library - spark-network-common_2.11-2.4.5.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/spark/spark-network-common_2.11/2.4.5/spark-network-common_2.11-2.4.5.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • ❌ spark-network-common_2.11-2.4.5.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Publish Date: 2020-06-23

URL: CVE-2020-9480

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 93.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wgx7-jwwm-cgjv

Release Date: 2020-06-23

Fix Resolution: org.apache.spark:spark-parent_2.11:2.4.6,pyspark - 2.4.6

CVE-2019-20330

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.9%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-17571

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 48.5%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

CVE-2019-17531

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-gjmw-vf9h-g25v

Release Date: 2019-10-12

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10.1

CVE-2019-17267

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-06

URL: CVE-2019-17267

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14893

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14540

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 7.1000004%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-h822-r4r5-v8jg

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10

CVE-2019-14379

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.8%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-6fpp-rgj9-8rwc

Release Date: 2019-07-29

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.6,2.8.11.4,2.9.9.2

CVE-2019-10202

Vulnerable Libraries - jackson-databind-2.6.7.3.jar, jackson-mapper-asl-1.9.13.jar

jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Library home page: http://fasterxml.com

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • avro-1.8.2.jar
      • ❌ jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 7.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

Fix Resolution (org.codehaus.jackson:jackson-mapper-asl): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github.zerozr99.workers.dev]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github.zerozr99.workers.dev]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.