Status
Fixed version
3.5.4-r31Status
Impact
This vulnerability relates to 'netty-codec-http', which is used by one of spark's other dependencies - pyspark. pyspark copies a number of jar's from the spark build process, one of those being 'netty-codec-http'. This has been fixed in netty > v4.1.108, and spark has upgraded to a later version in main. However, attempts to backport to this release of spark, result in build failures. Awaiting for fix / backport from upstream to address this issue.
Status