7.5
CVSS V3
Status
Impact
The version of libthrift is not able to be upgraded from .12 to .16 which can be seen in this PR: https://github.com/apache/spark/pull/46468 due to version incompatibility with the parent dependency Hive, Spark-3.5 is only able to support I Hive 2.3.9. To remediate this libthrift CVE would require Hive 2.3.10 which needs to be implemented by upstream maintainers. Upstream is targeting this to be included in the Spark-4.0 release as seen here: https://issues.apache.org/jira/browse/SPARK-47018
Status