Hiroki Egawa

**Name of the Vulnerable Software and Affected Versions** Apache Livy versions 0.3.0 through 0.8.9 **Description** An improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in Apache Livy. This issue can be exploited with non-default Apache Livy Server settings. Specifically, if the `livy.file.local-dir-whitelist` configuration value is set to a non-default value, the directory checking can be bypassed. **Recommendations** Upgrade to version 0.9.0 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Apache Kyuubi versions 1.6.0 through 1.10.2 **Description** A client with access to the Apache Kyuubi Server through Kyuubi frontend protocols can bypass the server-side configuration `kyuubi.session.local.dir.allow.list` and access local files not included in the allowed list. This allows unauthorized access to local files. **Recommendations** Upgrade to version 1.10.3 or a later version to resolve this issue.