[ https://issues.apache.org/jira/browse/SPARK-42902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bjørn Jørgensen updated SPARK-42902: ------------------------------------ Attachment: screenshot-1.png > CVE-2020-13936 request for upgrading version of Velocity > -------------------------------------------------------- > > Key: SPARK-42902 > URL: https://issues.apache.org/jira/browse/SPARK-42902 > Project: Spark > Issue Type: Dependency upgrade > Components: Build > Affects Versions: 3.2.3 > Reporter: JacobZheng > Priority: Minor > Attachments: screenshot-1.png > > > An attacker that is able to modify Velocity templates may execute arbitrary > Java code or run arbitrary system commands with the same privileges as the > account running the Servlet container. This applies to applications that > allow untrusted users to upload/modify velocity templates running Apache > Velocity Engine versions up to 2.2. > The current version of Velocity that spark relies on is 1.5, should we > upgrade to version 2.3? -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org