[
https://issues.apache.org/jira/browse/SPARK-35519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384394#comment-17384394
]
Sean R. Owen commented on SPARK-35519:
--------------------------------------
We generally do not accept reports like "my static analyzer flagged this"
without more info. Does this affect Spark? This also does not come in from
Spark itself, so typically it means another library we depend on needs it - the
update should ideally go there. We can manually manage up packages, but would
do so only if there were any plausible theory that it affects Spark.
> Critical Vulnerabilities: nimbusds_nimbus-jose-jwt 4.41.1 shipped
> -----------------------------------------------------------------
>
> Key: SPARK-35519
> URL: https://issues.apache.org/jira/browse/SPARK-35519
> Project: Spark
> Issue Type: Bug
> Components: Build
> Affects Versions: 3.0.2
> Reporter: Louis DEFLANDRE
> Priority: Major
>
> Vulnerabilities scanner is highlighting following CRITICAL vulnerabilities in
> {{spark-3.0.2-bin-hadoop3.2}} coming from obsolete {{nimbus-jose-jwt}}
> {{4.41.1}} :
> * [CVE-2019-17195|https://nvd.nist.gov/vuln/detail/CVE-2019-17195]
> This package is shipped within {{jars/nimbus-jose-jwt-4.41.1.jar}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
