What scanner did you use? Looks like all CVEs you listed for
jackson-databind-xxx.jar are for older versions (2.9.10.x). A quick
search on NVD revealed that there is only one CVE (CVE-2020-36518) that
affects your Spark versions. This CVE (not on your scanned CVE list) is
on jackson-databind jar versions before 2.13.0, and Spark 3.2.1 uses
version 2.12.x. The other two Spark versions use version 2.10.x.
Surprisingly, Spark 3.2.0 uses the jackson-databind library of version
2.13.0 (don't know why 3.2.1 uses an older version) so Spark 3.2.0
shouldn't have any known CVEs related to jackson-databind. You may want
to either use Spark 3.2.0 or do your own Spark build with the latest
version of jackson-databind lib (2.14.x).
On 5/2/22 1:46 AM, HARSH TAKKAR wrote:
We scanned 3 versions of spark 3.0.0, 3.1.3, 3.2.1
On Tue, 26 Apr, 2022, 18:46 Bjørn Jørgensen,
<bjornjorgen...@gmail.com> wrote:
What version of spark is it that you have scanned?
tir. 26. apr. 2022 kl. 12:48 skrev HARSH TAKKAR
<takkarha...@gmail.com>:
Hello,
Please let me know if there is a fix available for following
vulnerabilities in htrace jar used in spark jars folder.
LIBRARY: com.fasterxml.jackson.core:jackson-databind
VULNERABILITY IDs :
CVE-2020-9548
CVE-2020-9547
CVE-2020-8840
CVE-2020-36179
CVE-2020-35491
CVE-2020-35490
CVE-2020-25649
CVE-2020-24750
CVE-2020-24616
CVE-2020-10673
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14893
CVE-2019-14892
CVE-2019-14540
CVE-2019-14439
CVE-2019-14379
CVE-2019-12086
CVE-2018-7489
CVE-2018-5968
CVE-2018-14719
CVE-2018-14718
CVE-2018-12022
CVE-2018-11307
CVE-2017-7525
CVE-2017-17485
CVE-2017-15095
Kind Regards
Harsh Takkar
--
Bjørn Jørgensen
Vestre Aspehaug 4, 6010 Ålesund
Norge
+47 480 94 297
