Maven package
org.apache.livy/livy-server
pkg:maven/org.apache.livy/livy-server
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-60012 | — | >= 0.7.0-incubating, < 0.9.0-incubating | 0.9.0-incubating | Mar 13, 2026 | Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to user | ||
| CVE-2025-66249 | — | >= 0.3.0-incubating, < 0.9.0-incubating | 0.9.0-incubating | Mar 13, 2026 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value | ||
| CVE-2021-26544 | — | >= 0.7.0-incubating, < 0.7.1-incubating | 0.7.1-incubating | Feb 20, 2021 | Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating |
- CVE-2025-60012Mar 13, 2026affected >= 0.7.0-incubating, < 0.9.0-incubatingfixed 0.9.0-incubating
Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to user
- CVE-2025-66249Mar 13, 2026affected >= 0.3.0-incubating, < 0.9.0-incubatingfixed 0.9.0-incubating
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value
- CVE-2021-26544Feb 20, 2021affected >= 0.7.0-incubating, < 0.7.1-incubatingfixed 0.7.1-incubating
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating