Andrew Pikler

**Name of the Vulnerable Software and Affected Versions** Apache Parquet versions prior to 1.15.2 **Description** The vulnerability in Apache Parquet Java allows remote code execution via insecure parquet-avro module schema parsing. The issue affects versions up to 1.15.1. The parquet-avro module is responsible for processing Avro schemas within the metadata of Parquet files. Despite an earlier update in version 1.15.1 intended to restrict untrusted packages, the default settings remain permissive enough that harmful classes can still be executed. This is particularly worrisome for data processing pipelines that may draw files from untrusted sources, putting any application utilizing this module at risk of remote code execution. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. **Recommendations** Apache Parquet version 1.15.1: Set the system property "org.apache.parquet.avro.SERIALIZABLE PACKAGES" to an empty string. Apache Parquet versions prior to 1.15.1: Upgrade to version 1.15.2. Apache Parquet versions prior to 1.15.2 (general recommendation): Upgrade to version 1.15.2 to ensure safety.

**Name of the Vulnerable Software and Affected Versions** Apache MINA versions 1.0 through 2.9.3 **Description** The issue is related to the exposure of sensitive information to unauthorized actors in Apache MINA SSHD SFTP servers that use a RootedFileSystem. Logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. **Recommendations** For Apache MINA versions 1.0 through 2.9.3, upgrade to version 2.10 to resolve the issue. As a temporary workaround, consider restricting access to the RootedFileSystem to minimize the risk of exploitation.