CVE-2025-60012— Apache Livy: Restrict file access

Apache Livy: Restrict file access

Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

N/A

输入验证不恰当

Apache Livy 输入验证错误漏洞

Apache Livy是美国阿帕奇（Apache）基金会的一个应用服务器。提供支持从Web、移动应用程序以编程方式，容错，多租户提交Spark作业。 Apache Livy 0.7.0版本和0.8.0版本存在输入验证错误漏洞，该漏洞源于恶意配置可能导致未经授权的文件访问，当连接到Apache Spark 3.1或更高版本时，用户可能获得对其无权访问文件的访问权限。

N/A

N/A