spark-sql_2.11-2.4.5.jar: 125 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - spark-sql_2.11-2.4.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.7/jackson-core-2.6.7.jar

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spark-sql_2.11 version)	Remediation Possible**	Reachability
CVE-2022-26612	Critical	9.8	Not Defined	0.2%	hadoop-common-2.6.5.jar	Transitive	N/A*	❌
CVE-2022-25168	Critical	9.8	Not Defined	2.3%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2022-23305	Critical	9.8	Not Defined	14.1%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2020-9548	Critical	9.8	Not Defined	70.4%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-9547	Critical	9.8	Not Defined	53.600002%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-9546	Critical	9.8	Not Defined	2.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-9493	Critical	9.8	Not Defined	0.6%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2020-9480	Critical	9.8	Not Defined	80.6%	spark-network-common_2.11-2.4.5.jar	Transitive	2.4.6	✅
CVE-2020-8840	Critical	9.8	Not Defined	8.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-20330	Critical	9.8	Not Defined	2.0%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-17571	Critical	9.8	Not Defined	54.000004%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2019-17531	Critical	9.8	Not Defined	1.2%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2019-17267	Critical	9.8	Not Defined	1.4000001%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-14893	Critical	9.8	Not Defined	0.70000005%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2019-14540	Critical	9.8	Not Defined	8.0%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2019-10202	Critical	9.8	Not Defined	1.8%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2018-7489	Critical	9.8	Not Defined	36.199997%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-19360	Critical	9.8	Not Defined	6.8%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-11307	Critical	9.8	Not Defined	13.0%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2017-17485	Critical	9.8	Not Defined	76.4%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2023-44981	Critical	9.1	Not Defined	0.0%	zookeeper-3.4.6.jar	Transitive	2.4.6	✅
CVE-2022-37865	Critical	9.1	Not Defined	0.4%	ivy-2.4.0.jar	Transitive	N/A*	❌
CVE-2019-20445	Critical	9.1	Not Defined	0.4%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2019-20444	Critical	9.1	Not Defined	2.2%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2022-33891	High	8.8	High	93.2%	spark-core_2.11-2.4.5.jar	Transitive	N/A*	❌
CVE-2022-23307	High	8.8	Not Defined	0.9%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-23302	High	8.8	Not Defined	0.5%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2020-9492	High	8.8	Not Defined	0.1%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2020-11113	High	8.8	Not Defined	60.7%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11112	High	8.8	Not Defined	11.4%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11111	High	8.8	Not Defined	2.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10969	High	8.8	Not Defined	1.4000001%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10673	High	8.8	Not Defined	20.5%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10672	High	8.8	Not Defined	40.1%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2018-8029	High	8.8	Not Defined	2.3%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2018-8009	High	8.8	Not Defined	8.299999%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2024-36114	High	8.6	Not Defined	0.1%	aircompressor-0.10.jar	Transitive	2.4.6	✅
CVE-2022-46751	High	8.2	Not Defined	0.2%	ivy-2.4.0.jar	Transitive	2.4.6	✅
CVE-2024-25710	High	8.1	Not Defined	0.0%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2021-20190	High	8.1	Not Defined	0.5%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36189	High	8.1	Not Defined	2.6000001%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36188	High	8.1	Not Defined	7.0%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36187	High	8.1	Not Defined	2.0%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36186	High	8.1	Not Defined	2.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36185	High	8.1	Not Defined	2.0%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36184	High	8.1	Not Defined	5.1%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36183	High	8.1	Not Defined	2.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36182	High	8.1	Not Defined	2.1%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36181	High	8.1	Not Defined	6.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36180	High	8.1	Not Defined	2.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-36179	High	8.1	Not Defined	61.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-24750	High	8.1	Not Defined	2.1%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-24616	High	8.1	Not Defined	3.8%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14195	High	8.1	Not Defined	9.5%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14062	High	8.1	Not Defined	7.7%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14061	High	8.1	Not Defined	6.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-14060	High	8.1	Not Defined	8.7%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11620	High	8.1	Not Defined	2.8000002%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-10650	High	8.1	Not Defined	6.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2017-3166	High	7.8	Not Defined	0.2%	hadoop-mapreduce-client-core-2.6.5.jar	Transitive	2.4.6	✅
WS-2021-0419	High	7.7	Not Defined		gson-2.2.4.jar	Transitive	2.4.6	✅
CVE-2022-25647	High	7.7	Not Defined	1.7%	gson-2.2.4.jar	Transitive	2.4.6	✅
WS-2022-0468	High	7.5	Not Defined		jackson-core-2.6.7.jar	Transitive	2.4.6	✅
CVE-2025-58057	High	7.5	Not Defined	0.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2025-52999	High	7.5	Not Defined	0.0%	jackson-core-2.6.7.jar	Transitive	2.4.6	✅
CVE-2023-43642	High	7.5	Not Defined	0.1%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2023-39410	High	7.5	Not Defined	0.1%	avro-1.8.2.jar	Transitive	2.4.6	✅
CVE-2023-34455	High	7.5	Not Defined	0.4%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2023-26464	High	7.5	Not Defined	0.1%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-42004	High	7.5	Not Defined	0.2%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2022-42003	High	7.5	Not Defined	0.3%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2022-37866	High	7.5	Not Defined	0.6%	ivy-2.4.0.jar	Transitive	N/A*	❌
CVE-2021-4104	High	7.5	High	72.2%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2021-37137	High	7.5	Not Defined	0.6%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2021-37136	High	7.5	Not Defined	0.2%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2021-36090	High	7.5	Not Defined	0.3%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2021-35517	High	7.5	Not Defined	0.3%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2021-35516	High	7.5	Not Defined	0.3%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2021-35515	High	7.5	Not Defined	0.1%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2020-7238	High	7.5	Not Defined	0.70000005%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2020-36518	High	7.5	Not Defined	0.5%	jackson-databind-2.6.7.3.jar	Transitive	N/A*	❌
CVE-2020-25649	High	7.5	Not Defined	0.0%	jackson-databind-2.6.7.3.jar	Transitive	2.4.6	✅
CVE-2020-11612	High	7.5	Not Defined	1.8%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2019-10172	High	7.5	Not Defined	0.4%	jackson-mapper-asl-1.9.13.jar	Transitive	N/A*	❌
CVE-2018-8012	High	7.5	Not Defined	0.9%	zookeeper-3.4.6.jar	Transitive	2.4.6	✅
CVE-2018-1296	High	7.5	Not Defined	0.6%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2018-11768	High	7.5	Not Defined	2.6000001%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2017-5637	High	7.5	Not Defined	16.9%	zookeeper-3.4.6.jar	Transitive	2.4.6	✅
CVE-2012-0881	High	7.5	Not Defined	0.9%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
WS-2020-0408	High	7.4	Not Defined		netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2024-47561	High	7.3	Not Defined	1.6%	avro-1.8.2.jar	Transitive	2.4.6	✅
CVE-2017-3162	High	7.3	Not Defined	1.9%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
WS-2019-0379	Medium	6.5	Not Defined		commons-codec-1.10.jar	Transitive	N/A*	❌
CVE-2025-46392	Medium	6.5	Not Defined	0.1%	commons-configuration-1.6.jar	Transitive	2.4.6	✅
CVE-2023-34462	Medium	6.5	Not Defined	0.6%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2022-23437	Medium	6.5	Not Defined	0.1%	xercesImpl-2.9.1.jar	Transitive	N/A*	❌
CVE-2021-43797	Medium	6.5	Not Defined	0.1%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2021-37533	Medium	6.5	Not Defined	0.2%	commons-net-3.1.jar	Transitive	2.4.6	✅
CVE-2017-15713	Medium	6.5	Not Defined	0.1%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2023-22946	Medium	6.4	Not Defined	0.2%	spark-core_2.11-2.4.5.jar	Transitive	N/A*	❌
CVE-2021-21290	Medium	6.2	Not Defined	0.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2017-3161	Medium	6.1	Not Defined	5.0%	hadoop-hdfs-2.6.5.jar	Transitive	2.4.6	✅
CVE-2023-34454	Medium	5.9	Not Defined	0.2%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2023-34453	Medium	5.9	Not Defined	0.8%	snappy-java-1.1.1.3.jar	Transitive	2.4.6	✅
CVE-2021-21409	Medium	5.9	Not Defined	5.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2021-21295	Medium	5.9	Not Defined	1.0%	netty-all-4.1.42.Final.jar	Transitive	2.4.6	✅
CVE-2019-0201	Medium	5.9	Not Defined	0.3%	zookeeper-3.4.6.jar	Transitive	2.4.6	✅
CVE-2013-4002	Medium	5.9	Not Defined	1.4000001%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
CVE-2022-24823	Medium	5.5	Not Defined	0.3%	netty-all-4.1.42.Final.jar	Transitive	N/A*	❌
CVE-2018-11771	Medium	5.5	Not Defined	0.70000005%	commons-compress-1.8.1.jar	Transitive	2.4.6	✅
CVE-2022-31777	Medium	5.4	Not Defined	0.3%	spark-core_2.11-2.4.5.jar	Transitive	N/A*	❌
WS-2018-0125	Medium	5.3	Not Defined		jackson-core-2.6.7.jar	Transitive	2.4.6	✅
WS-2018-0124	Medium	5.3	Not Defined		jackson-core-2.6.7.jar	Transitive	2.4.6	✅
WS-2017-3734	Medium	5.3	Not Defined		httpclient-4.2.5.jar	Transitive	2.4.6	✅
CVE-2025-48924	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	2.4.6	✅
CVE-2020-14338	Medium	5.3	Not Defined	0.6%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
CVE-2020-13956	Medium	5.3	Not Defined	0.5%	httpclient-4.2.5.jar	Transitive	2.4.6	✅
CVE-2009-2625	Medium	5.3	Not Defined	0.4%	xercesImpl-2.9.1.jar	Transitive	2.4.6	✅
CVE-2014-3577	Medium	4.8	Not Defined	1.4000001%	httpclient-4.2.5.jar	Transitive	2.4.6	✅
CVE-2012-5783	Medium	4.8	Not Defined	0.6%	commons-httpclient-3.1.jar	Transitive	2.4.6	✅
CVE-2025-49128	Medium	4.0	Not Defined	0.0%	jackson-core-2.6.7.jar	Transitive	N/A*	❌
CVE-2024-23454	Medium	4.0	Not Defined	0.1%	hadoop-common-2.6.5.jar	Transitive	2.4.6	✅
CVE-2020-9488	Low	3.7	Not Defined	0.0%	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2015-5262	Low	3.7	Not Defined	0.9%	httpclient-4.2.5.jar	Transitive	N/A*	❌
CVE-2012-6153	Low	3.7	Not Defined	1.9%	commons-httpclient-3.1.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (11 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-26612

Vulnerable Library - hadoop-common-2.6.5.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.6.5/hadoop-common-2.6.5.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-common-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

Publish Date: 2022-04-07

URL: CVE-2022-26612

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612

Release Date: 2022-04-07

Fix Resolution: org.apache.hadoop:hadoop-common:3.2.3

CVE-2022-25168

Vulnerable Library - hadoop-common-2.6.5.jar

Apache Hadoop Common

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.6.5/hadoop-common-2.6.5.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • ❌ hadoop-common-2.6.5.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

Publish Date: 2022-08-04

URL: CVE-2022-25168

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130

Release Date: 2022-08-04

Fix Resolution (org.apache.hadoop:hadoop-common): 2.10.2

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23305

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 14.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2020-9548

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 70.4%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9547

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 53.600002%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-q93h-jc49-78gg

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9546

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9493

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2020-9480

Vulnerable Library - spark-network-common_2.11-2.4.5.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://spark.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/spark/spark-network-common_2.11/2.4.5/spark-network-common_2.11-2.4.5.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • ❌ spark-network-common_2.11-2.4.5.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Publish Date: 2020-06-23

URL: CVE-2020-9480

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 80.6%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spark.apache.org/security.html#CVE-2020-9480

Release Date: 2020-06-23

Fix Resolution (org.apache.spark:spark-network-common_2.11): 2.4.6

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8840

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 8.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-20330

Vulnerable Library - jackson-databind-2.6.7.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • spark-kvstore_2.11-2.4.5.jar
      • ❌ jackson-databind-2.6.7.3.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.0%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (org.apache.spark:spark-sql_2.11): 2.4.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-17571

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• spark-sql_2.11-2.4.5.jar (Root Library)
  • spark-core_2.11-2.4.5.jar
    • hadoop-client-2.6.5.jar
      • hadoop-common-2.6.5.jar
        • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: aa024c4f3cb139ab3f9e3fbfc598d6d8def6fd56

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 54.000004%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.