CVE-2025-60012

EPSS 0.08%
Veröffentlicht 13.03.2026 15:23:07
Zuletzt bearbeitet 19.03.2026 17:46:30
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Livy: Restrict file access

Malicious configuration can lead to unauthorized file access in Apache Livy.

This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later.

A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to.

For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values.

Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Livy Version >= 0.7.0 < 0.9.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.231

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/03/12/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-60012

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-60012

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-60012

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-60012