/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CGA-cmrm-pr6r-3j5c

Published

Last updated

https://images.chainguard.dev/security/CGA-cmrm-pr6r-3j5c
Package

spark-3.4

Repository

Chainguard

Latest Update
Fix not planned
Aliases
  • CVE-2021-31684
  • GHSA-fg2v-w576-w4v3

Severity

7.5

High

CVSS V3

References

  • https://nvd.nist.gov/vuln/detail/CVE-2021-31684

Updates

Status

Fix not planned

Impact

Spark 3.4 has reached end of life (EOL), and new images are no longer being built. We strongly recommend upgrading to Spark 3.5 to ensure continued support and access to the latest updates.

Status

Pending upstream fix

Impact

This json-smart 1.3.2 dependency that exists in the spark-3.5 package is brought in as a transitive dependency from hadoop-client-runtime-3.3.6.jar. This dependency is not able to be upgraded to a higher version and requires upstream maintainers to implement.

Status

Under investigation

Status

Pending upstream fix

Impact

This relates to json-smart v1.3.2 included by the shaded JAR hadoop-client-runtime-3.3.6.jar. There are no newer versions of this shaded JAR available to fix the vulnerability.


Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing