topic Databricks-jdbc and vulnerabilities CVE-2021-36090 CVE-2023-6378 CVE-2023-6481 in Data Engineering https://community.databricks.com/t5/data-engineering/databricks-jdbc-and-vulnerabilities-cve-2021-36090-cve-2023-6378/m-p/59507#M31431 <P>The latest version of Databricks-jdbc available through Maven (2.6.36) now has these three vulnerabilities:</P><P><A href="https://www.cve.org/CVERecord?id=CVE-2021-36090" target="_blank">https://www.cve.org/CVERecord?id=CVE-2021-36090</A><BR /><A href="https://www.cve.org/CVERecord?id=CVE-2023-6378" target="_blank">https://www.cve.org/CVERecord?id=CVE-2023-6378</A><BR /><A href="https://www.cve.org/CVERecord?id=CVE-2023-6481" target="_blank">https://www.cve.org/CVERecord?id=CVE-2023-6481</A></P><P>All due to depending on and including in the jar the older versions of the below jar dependencies</P><P>org.apache.commons:commons-compress@1.20<BR />ch.qos.logback:logback-classic@1.2.3<BR />ch.qos.logback:logback-core@1.2.3</P><P>Is there a possibility to have a new updated version of Databricks-jdbc that uses the latest of these dependent jars?</P><P>org.apache.commons:commons-compress@1.25<BR />ch.qos.logback:logback-classic@1.2.13 or @1.4.14<BR />ch.qos.logback:logback-core@1.2.13 or @1.4.14</P> Tue, 06 Feb 2024 19:18:49 GMT karthik-kobai 2024-02-06T19:18:49Z Databricks-jdbc and vulnerabilities CVE-2021-36090 CVE-2023-6378 CVE-2023-6481 https://community.databricks.com/t5/data-engineering/databricks-jdbc-and-vulnerabilities-cve-2021-36090-cve-2023-6378/m-p/59507#M31431 <P>The latest version of Databricks-jdbc available through Maven (2.6.36) now has these three vulnerabilities:</P><P><A href="https://www.cve.org/CVERecord?id=CVE-2021-36090" target="_blank">https://www.cve.org/CVERecord?id=CVE-2021-36090</A><BR /><A href="https://www.cve.org/CVERecord?id=CVE-2023-6378" target="_blank">https://www.cve.org/CVERecord?id=CVE-2023-6378</A><BR /><A href="https://www.cve.org/CVERecord?id=CVE-2023-6481" target="_blank">https://www.cve.org/CVERecord?id=CVE-2023-6481</A></P><P>All due to depending on and including in the jar the older versions of the below jar dependencies</P><P>org.apache.commons:commons-compress@1.20<BR />ch.qos.logback:logback-classic@1.2.3<BR />ch.qos.logback:logback-core@1.2.3</P><P>Is there a possibility to have a new updated version of Databricks-jdbc that uses the latest of these dependent jars?</P><P>org.apache.commons:commons-compress@1.25<BR />ch.qos.logback:logback-classic@1.2.13 or @1.4.14<BR />ch.qos.logback:logback-core@1.2.13 or @1.4.14</P> Tue, 06 Feb 2024 19:18:49 GMT https://community.databricks.com/t5/data-engineering/databricks-jdbc-and-vulnerabilities-cve-2021-36090-cve-2023-6378/m-p/59507#M31431 karthik-kobai 2024-02-06T19:18:49Z