Apache Livy vulnerabilities

CVE-2025-66249 [MEDIUM] CWE-22 CVE-2025-66249: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the dire

CVE-2025-60012 [MEDIUM] CWE-20 CVE-2025-60012: Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apa Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vuln

CVE-2021-26544 [MEDIUM] CWE-79 CVE-2021-26544: Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the ses Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.