Sure, did you search the JIRA? https://issues.apache.org/jira/browse/SPARK-38340
Does this affect Spark's usage of protobuf? Looks like it can't be updated to 3.x -- this is really not a dependency of Spark but underlying dependencies. Feel free to re-attempt a change that might work, at least with Hadoop 3 if possible. On Wed, May 4, 2022 at 10:46 AM Pralabh Kumar <pralabhku...@gmail.com> wrote: > Hi Dev Team > > Spark is using protobuf 2.5.0 which is vulnerable to CVE-2021-22569. CVE > recommends to use protobuf 3.19.2 > > Please let me know , if there is a jira to track the update w.r.t CVE and > Spark or should I create the one ? > > Regards > Pralabh Kumar >