mend-bolt-for-github[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Library home page: http://spark.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.12/3.2.3/49e3e93fe968b4ab3677985e0fa6cd08289c42a1/spark-core_2.12-3.2.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.12/3.2.3/49e3e93fe968b4ab3677985e0fa6cd08289c42a1/spark-core_2.12-3.2.3.jar
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-22946
### Vulnerable Library - spark-core_2.12-3.2.3.jarLibrary home page: http://spark.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.12/3.2.3/49e3e93fe968b4ab3677985e0fa6cd08289c42a1/spark-core_2.12-3.2.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.12/3.2.3/49e3e93fe968b4ab3677985e0fa6cd08289c42a1/spark-core_2.12-3.2.3.jar
Dependency Hierarchy: - :x: **spark-core_2.12-3.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsIn Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
Publish Date: 2023-04-17
URL: CVE-2023-22946
### CVSS 3 Score Details (9.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q2/28
Release Date: 2023-04-17
Fix Resolution: 3.3.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-9493
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsA deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25168
### Vulnerable Library - hadoop-client-api-3.3.1.jarApache Hadoop Client
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-client-api/3.3.1/4b9c9cdd9967495838fb521001699c4c9dddf183/hadoop-client-api-3.3.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-client-api/3.3.1/4b9c9cdd9967495838fb521001699c4c9dddf183/hadoop-client-api-3.3.1.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **hadoop-client-api-3.3.1.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsApache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Publish Date: 2022-08-04
URL: CVE-2022-25168
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Release Date: 2022-08-04
Fix Resolution (org.apache.hadoop:hadoop-client-api): 3.3.3
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23305
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsBy design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-17571
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsIncluded in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37865
### Vulnerable Library - ivy-2.5.0.jarThe Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://ant.apache.org/ivy/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.5.0/7cd93e73e91acb868717ebf2410f966f53ae5897/ivy-2.5.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.5.0/7cd93e73e91acb868717ebf2410f966f53ae5897/ivy-2.5.0.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **ivy-2.5.0.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsWith Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1.
Publish Date: 2022-11-07
URL: CVE-2022-37865
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy
Release Date: 2022-11-07
Fix Resolution (org.apache.ivy:ivy): 2.5.1
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23307
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23302
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsJMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-46751
### Vulnerable Library - ivy-2.5.0.jarThe Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://ant.apache.org/ivy/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.5.0/7cd93e73e91acb868717ebf2410f966f53ae5897/ivy-2.5.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.5.0/7cd93e73e91acb868717ebf2410f966f53ae5897/ivy-2.5.0.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **ivy-2.5.0.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsImproper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
Publish Date: 2023-08-21
URL: CVE-2022-46751
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-2jc4-r94c-rp7h
Release Date: 2023-08-21
Fix Resolution: org.apache.ivy:ivy:2.5.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0419
### Vulnerable Library - gson-2.8.6.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - spark-network-common_2.12-3.2.3.jar - tink-1.6.0.jar - :x: **gson-2.8.6.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsDenial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.3.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-37136
### Vulnerable Library - netty-codec-4.1.50.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.50.Final/cbcb646c9380c6cdc3f56603ae6418a11418ce0f/netty-codec-4.1.50.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.50.Final/cbcb646c9380c6cdc3f56603ae6418a11418ce0f/netty-codec-4.1.50.Final.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - zookeeper-3.6.2.jar - netty-handler-4.1.50.Final.jar - :x: **netty-codec-4.1.50.Final.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-37137
### Vulnerable Library - netty-codec-4.1.50.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.50.Final/cbcb646c9380c6cdc3f56603ae6418a11418ce0f/netty-codec-4.1.50.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.50.Final/cbcb646c9380c6cdc3f56603ae6418a11418ce0f/netty-codec-4.1.50.Final.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - zookeeper-3.6.2.jar - netty-handler-4.1.50.Final.jar - :x: **netty-codec-4.1.50.Final.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26464
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability Details** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-36090
### Vulnerable Library - commons-compress-1.20.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - avro-1.10.2.jar - :x: **commons-compress-1.20.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsWhen reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25647
### Vulnerable Library - gson-2.8.6.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - spark-network-common_2.12-3.2.3.jar - tink-1.6.0.jar - :x: **gson-2.8.6.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsThe package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.3.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-35517
### Vulnerable Library - commons-compress-1.20.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - avro-1.10.2.jar - :x: **commons-compress-1.20.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsWhen reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-35516
### Vulnerable Library - commons-compress-1.20.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - avro-1.10.2.jar - :x: **commons-compress-1.20.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsWhen reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-35515
### Vulnerable Library - commons-compress-1.20.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.20/b8df472b31e1f17c232d2ad78ceb1c84e00c641b/commons-compress-1.20.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - avro-1.10.2.jar - :x: **commons-compress-1.20.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsWhen reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-4104
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Path to dependency file: /recommender-examples/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37866
### Vulnerable Library - ivy-2.5.0.jarThe Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: http://ant.apache.org/ivy/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.5.0/7cd93e73e91acb868717ebf2410f966f53ae5897/ivy-2.5.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.5.0/7cd93e73e91acb868717ebf2410f966f53ae5897/ivy-2.5.0.jar
Dependency Hierarchy: - spark-core_2.12-3.2.3.jar (Root Library) - :x: **ivy-2.5.0.jar** (Vulnerable Library)
Found in HEAD commit: 82afd398322d874790c2df1867485eb47a118a9e
Found in base branch: main
### Vulnerability DetailsWhen Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.
Publish Date: 2022-11-07
URL: CVE-2022-37866
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/htxbr8oc464hxrgroftnz3my70whk93b
Release Date: 2022-11-07
Fix Resolution (org.apache.ivy:ivy): 2.5.1
Direct dependency fix Resolution (org.apache.spark:spark-core_2.12): 3.2.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)