Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN302
_____________________________________________________________________

DATE                : 13/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Livy versions prior to
                                        0.9.0.

=====================================================================
https://lists.apache.org/thread/k06hqw5olf7slmlt0xh3vxhts7knmohz
https://lists.apache.org/thread/62p9vo0flnp5j1ztktj7k34ryq6fg45w
_____________________________________________________________________

CVE-2025-66249: Apache Livy: Unauthorized directory access
Severity: important 

Affected versions:

- Apache Livy (org.apache.livy:livy-server) 0.3.0-incubating before
0.9.0-incubating

Description:

Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default
Apache Livy Server settings. If the configuration value
"livy.file.local-dir-whitelist" is set to a non-default value, the
directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the
issue.

Credit:

Hiroki Egawa (finder)

References:

https://livy.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-66249

_____________________________________________________________________

CVE-2025-60012: Apache Livy: Restrict file access
Severity: important 

Affected versions:

- Apache Livy (org.apache.livy:livy-server) 0.7.0-incubating before
0.9.0-incubating

Description:

Malicious configuration can lead to unauthorized file access in Apache
Livy.

This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache
Spark 3.1 or later.

A request that includes a Spark configuration value supported from
Apache Spark version 3.1 can lead to users gaining access to files
they do not have permissions to.

For the vulnerability to be exploitable, the user needs to have access
to Apache Livy's REST or JDBC interface and be able to send requests
with arbitrary Spark configuration values.

Users are recommended to upgrade to version 0.9.0 or later, which
fixes the issue.

Credit:

Furue Hideyuki (finder)

References:

https://livy.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-60012



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================