Vulnerabilities in parquet-jackson used by Jet
olukas opened this issue · 1 comments
olukas commented
Jet uses parquet-jackson in version 1.12.3 which shades com.fasterxml.jackson.core:jackson-databind:2.13.2.2 which includes following vulnerabilities:
- CVE-2022-42003 - https://nvd.nist.gov/vuln/detail/CVE-2022-42003
- CVE-2022-42004 - https://nvd.nist.gov/vuln/detail/CVE-2022-42004
It's the same as hazelcast/hazelcast#22407 (comment)
TomaszGaweda commented
Fix is not possible for 4.5.4 - there is no version of parquet-java that fixes the vunerability. Previous versions are shading even more vunerable version of databind.