PyPI package
pyspark
pkg:pypi/pyspark
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-32007 | — | >= 3.1.1, < 3.2.2 | 3.2.2 | May 2, 2023 | ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a cod | ||
| CVE-2023-22946 | — | < 3.3.2 | 3.3.2 | Apr 17, 2023 | In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the cl | ||
| CVE-2022-31777 | — | < 3.2.2 | 3.2.2 | Nov 1, 2022 | A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | ||
| CVE-2022-33891 | — | KEV | <= 3.0.3 | — | Jul 18, 2022 | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can | |
| CVE-2021-38296 | — | < 3.1.3 | 3.1.3 | Mar 10, 2022 | Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive a | ||
| CVE-2020-9480 | — | < 2.4.6 | 2.4.6 | Jun 23, 2020 | In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the S | ||
| CVE-2019-10099 | — | < 2.3.3 | 2.3.3 | Aug 7, 2019 | Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in P | ||
| CVE-2018-11760 | — | >= 2.3.0, < 2.3.2 | 2.3.2 | Feb 4, 2019 | When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. | ||
| CVE-2018-1334 | — | >= 2.2.0, < 2.2.2 | 2.2.2 | Jul 12, 2018 | In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | ||
| CVE-2017-12612 | Hig | 7.8 | < 2.1.2 | 2.1.2 | Sep 13, 2017 | In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user a |
- CVE-2023-32007May 2, 2023affected >= 3.1.1, < 3.2.2fixed 3.2.2
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a cod
- CVE-2023-22946Apr 17, 2023affected < 3.3.2fixed 3.3.2
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the cl
- CVE-2022-31777Nov 1, 2022affected < 3.2.2fixed 3.2.2
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
- affected <= 3.0.3
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can
- CVE-2021-38296Mar 10, 2022affected < 3.1.3fixed 3.1.3
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive a
- CVE-2020-9480Jun 23, 2020affected < 2.4.6fixed 2.4.6
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the S
- CVE-2019-10099Aug 7, 2019affected < 2.3.3fixed 2.3.3
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in P
- CVE-2018-11760Feb 4, 2019affected >= 2.3.0, < 2.3.2fixed 2.3.2
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
- CVE-2018-1334Jul 12, 2018affected >= 2.2.0, < 2.2.2fixed 2.2.2
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
- affected < 2.1.2fixed 2.1.2
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user a