[ 
https://issues.apache.org/jira/browse/SPARK-40782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834801#comment-17834801
 ] 

Ramakrishna commented on SPARK-40782:
-------------------------------------

Hi this seems to be an issue still as transitive dependency in hadoop 

 

│ com.fasterxml.jackson.core:jackson-databind                  │ CVE-2022-42003 
     │ HIGH     │ fixed  │ 2.12.7            │ 2.12.7.1, 2.13.4.2               
│ jackson-databind: deep wrapper array nesting wrt             │

│ (org.apache.hadoop_hadoop-client-runtime-3.3.4.jar) 

 

Is thrre a fix for this ?

> Upgrade Jackson-databind to 2.13.4.1
> ------------------------------------
>
>                 Key: SPARK-40782
>                 URL: https://issues.apache.org/jira/browse/SPARK-40782
>             Project: Spark
>          Issue Type: Improvement
>          Components: Build
>    Affects Versions: 3.4.0
>            Reporter: Yang Jie
>            Assignee: Yang Jie
>            Priority: Minor
>             Fix For: 3.3.1, 3.4.0
>
>
> #3590: Add check in primitive value deserializers to avoid deep wrapper array
>   nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` [CVE-2022-42003]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to