GHSA-h84f-4ff9-8hc3

Suggest an improvement
Source
https://github.com/advisories/GHSA-h84f-4ff9-8hc3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h84f-4ff9-8hc3/GHSA-h84f-4ff9-8hc3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h84f-4ff9-8hc3
Aliases
Published
2026-03-13T21:31:45Z
Modified
2026-03-16T19:01:29.985612Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Apache Livy: Unauthorized directory access
Details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2026-03-13T19:53:52Z",
    "github_reviewed_at": "2026-03-16T18:45:11Z"
}
References

Affected packages

Maven / org.apache.livy:livy-server

Package

Name
org.apache.livy:livy-server
View open source insights on deps.dev
Purl
pkg:maven/org.apache.livy/livy-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.3.0-incubating
Fixed
0.9.0-incubating

Affected versions

0.*
0.4.0-incubating
0.5.0-incubating
0.6.0-incubating
0.7.0-incubating
0.7.1-incubating
0.8.0-incubating

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h84f-4ff9-8hc3/GHSA-h84f-4ff9-8hc3.json"