Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Invalid
-
3.0.0
-
None
Description
Hi Team,
We use spark-core_2.12:3.0.0 which has transitive dependency on commons-text 1.6 and this is flagged as CVE-2022-42889.
We have our spark application built using maven using spark-core_2.12:3.0.0.
Need clarifications on below :
- Does spark-core use StringSubstitutor and do we need to worry about this?
- If its getting used , then which lib or code within spark core triggers it ?
- can we include the apache commons text 1.10.0 as explicit dependency on our POM and add common text 1.6 in exclusions for spark-core , will it work ?
- Upgrading the another spark version which may have commons text upgraded to 1.10.0 is not feasible and big task for us considering all dependent application using 3.0.0 version