3 matches found
CVE-2021-26544
Affected software: Apache Livy server 0.7.0-incubating. Issue: cross-site scripting (XSS) in the session name. Impact: a malicious user could access logs and results of other users’ sessions and run jobs with those users’ privileges. Root cause: XSS in session-name handling. Remediation: the fixe...
CVE-2025-66249
CVE-2025-66249 is a Directory Traversal vulnerability in Apache Livy (affecting 0.3.0 to before 0.9.0). The issue arises when the non-default Livy server setting livy.file.local-dir-whitelist bypasses directory checks, potentially allowing access to restricted paths. Impact is limited to unauthor...
CVE-2025-60012
CVE-2025-60012 (Apache Livy) : A vulnerability affecting Livy 0.7.0–0.8.0 when connected to Spark 3.1+, enabling unauthorized local file access via crafted Spark configuration values. Root causes (in vulnerable versions): (1) missing validation for spark.archives not added to Livy’s hardcoded fil...