Comment by kevincox
13 days ago
But Parquet is intended to be a safe format. So importing a malicious file should still be safe.
Like if a browser had a vulnerability parsing HTML of course it is a major concern because very often browsers to parse HTML from untrusted parties.
Why is "user interaction: none" though? There should be reasoning attached to the CVSS vector in these CVEs.
Probably because there are services (AKA web services, software listening on a network port, etc.) out there which accept arbitrary Parquet files. This seems like a safe assumption given lots of organizations use micro-services or cloud venders use the same software on the same machine to process requests from different customers. This is a bad bug and if you use the affected code, you should update immediately.