Hi Team, Our internal scans are flagging CVE-2024-7254 for spark-core_2.13-3.5.0.jar.
The CVE seems related to protobuf. spark-core 3.5.x seems to be using protobuf version: 3.23.4 which is having this CVE-2024-7254 Can you please share if a newer spark-core 3.5.x version will be released with a fix to this CVE. If not; will this CVE be fixed in the 4.x GA release. If yes can you please help share any timeline for the GA build for spark-core 4.x to be released. Regards, Kaushik
