[
https://issues.apache.org/jira/browse/SPARK-42902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17705117#comment-17705117
]
Bjørn Jørgensen commented on SPARK-42902:
-----------------------------------------
We have that as an exclusion in pom.xml
Do you find it somewhere else?
!screenshot-1.png!
> CVE-2020-13936 request for upgrading version of Velocity
> --------------------------------------------------------
>
> Key: SPARK-42902
> URL: https://issues.apache.org/jira/browse/SPARK-42902
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Build
> Affects Versions: 3.2.3
> Reporter: JacobZheng
> Priority: Minor
> Attachments: screenshot-1.png
>
>
> An attacker that is able to modify Velocity templates may execute arbitrary
> Java code or run arbitrary system commands with the same privileges as the
> account running the Servlet container. This applies to applications that
> allow untrusted users to upload/modify velocity templates running Apache
> Velocity Engine versions up to 2.2.
> The current version of Velocity that spark relies on is 1.5, should we
> upgrade to version 2.3?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
