The biggest offender by far is jackson-databind 2.4.0 . Upgrading that single dependency to a current 2.18.8+ release would clear the overwhelming majority of these cves.
I can try raising a pr for this. Thanks Simhadri G On Thu, Jun 25, 2026, 4:21 AM Sai Hemanth Gantasala <[email protected]> wrote: > Hi Ayush, > > I agree that we should address these, especially the critical ones, for > the upcoming release. While achieving an "A" rating might be difficult, we > should at least clean up the high-impact vulnerabilities to improve our > security posture and perception. > > I'm planning to create an umbrella JIRA to track this effort and will link > individual issues for each CVE we decide to tackle. I think prioritizing > the critical issues for this cycle is definitely worth it. I'll start the > umbrella ticket so we can coordinate the work. > > Thanks, > Sai > > > On Tue, Jun 23, 2026 at 6:03 PM Ayush Saxena <[email protected]> wrote: > >> Hi Folks, >> I was randomly browsing our DockerHub page and noticed that our Docker >> images currently show a big "E" security rating. I've attached a >> screenshot along with the local text output (assuming the attachment >> makes it through). >> >> If not, the following command should provide the vulnerability details >> locally: >> docker scout cves apache/hive:nightly >> >> I realize this isn't a problem we can completely eliminate. Given the >> number of dependencies in the Hadoop/Hive ecosystem, achieving an "A" >> rating is probably unrealistic. However, there may be a few >> low-hanging issues that we could address without a significant >> engineering effort. >> >> My understanding is that many of these reported CVEs are unlikely to >> be directly exploitable in Hive deployments or may not impact Hive >> functionality at all. Because of that, I don't see this as a "drop >> everything and fix it" effort. That said, improving the score where >> practical could help with the project's presentation and perception, >> especially for users evaluating Hive from a security standpoint. >> >> Curious what others think: >> * Do we have any plans or strategy around this? >> * Are there easy wins worth pursuing? >> * Or is the consensus simply that the current state is acceptable and >> not worth spending cycles on? Maybe newbie tickets? >> >> Interested in hearing everyone's thoughts. >> >> -Ayush >> >
