Vulnerability	Vulnerable Version
H External Control of File Name or Path Affected versions of this package are vulnerable to External Control of File Name or Path during schema parsing. Although loading untrusted classes is no longer vulnerable via this vector as of version 1.15.1, by default an attacker who can control a trusted class can execute arbitrary code by passing them in as `ReflectData` or `SpecificData` Parquet inputs to the schema parser. How to fix External Control of File Name or Path? Upgrade `org.apache.parquet:parquet-avro` to version 1.15.2 or higher.	[,1.15.2)
C Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data during schema parsing. An attacker can execute arbitrary code by passing in malicious classes as `ReflectData` or `SpecificData` inputs to the schema parser. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.parquet:parquet-avro` to version 1.15.1 or higher.	[,1.15.1)

External Control of File Name or Path

Affected versions of this package are vulnerable to External Control of File Name or Path during schema parsing. Although loading untrusted classes is no longer vulnerable via this vector as of version 1.15.1, by default an attacker who can control a trusted class can execute arbitrary code by passing them in as ReflectData or SpecificData Parquet inputs to the schema parser.

How to fix External Control of File Name or Path?

Upgrade org.apache.parquet:parquet-avro to version 1.15.2 or higher.

[,1.15.2)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data during schema parsing. An attacker can execute arbitrary code by passing in malicious classes as ReflectData or SpecificData inputs to the schema parser.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.parquet:parquet-avro to version 1.15.1 or higher.

[,1.15.1)

Go back to all versions of this package