Latest apache spark Vulnerabilities

CVE-2023-32007
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has ...
Apache Spark<=3.0.3
Apache Spark>=3.1.1<=3.1.3
Apache Spark>=3.2.0<=3.2.1
CVE-2023-22946
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitti...
Apache Spark<3.4.0
CVE-2022-31777
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a mal...
pip/pyspark>=0<3.2.2
maven/org.apache.spark:spark-core=3.3.0
maven/org.apache.spark:spark-core<3.2.2
Apache Spark<3.2.2
Apache Spark=3.3.0
CVE-2022-33891
Apache Spark Command Injection Vulnerability
Apache Spark<=3.0.3
Apache Spark>=3.1.1<=3.1.2
Apache Spark>=3.2.0<=3.2.1
pip/pyspark>=3.1.1<3.2.2
maven/org.apache.spark:spark-parent_2.12>=3.1.1<3.2.2
maven/org.apache.spark:spark-parent_2.12<=3.0.3
and 2 more
CVE-2021-38296
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication proto...
Apache Spark<3.1.3
Oracle Financial Services Crime And Compliance Management Studio=8.0.8.2.0
Oracle Financial Services Crime And Compliance Management Studio=8.0.8.3.0
pip/pyspark<3.1.3
maven/org.apache.spark:spark-core<3.1.3
CVE-2020-27223
Eclipse Jetty is vulnerable to a denial of service, caused by an error when handling a request containing multiple Accept headers with a large number of quality parameters. By sending a specially-craf...
redhat/jenkins<0:2.289.1.1624365627-1.el7
redhat/jenkins<0:2.277.3.1623846768-1.el7
redhat/jenkins<0:2.277.3.1623853726-1.el8
debian/jetty9
redhat/jetty-9.4.37.v20210219 jetty-10.0.1 jetty<11.0.1
IBM Secure Proxy<=6.0.2
and 25 more
CVE-2020-27218
### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received en...
redhat/jenkins<0:2.289.1.1624365627-1.el7
redhat/jenkins<0:2.277.3.1623846768-1.el7
redhat/jenkins<0:2.277.3.1623853726-1.el8
redhat/jetty<9.4.35.
redhat/jetty<10.0.0.
redhat/jetty<11.0.0.
and 31 more
CVE-2020-9480
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-craft...
Apache Spark<=2.4.5
Oracle Business Intelligence=5.5.0.0.0
CVE-2019-20445
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-handler>=4.0.0<4.1.45
redhat/qpid-proton<0:0.30.0-4.el6_10
redhat/qpid-proton<0:0.30.0-2.el7
redhat/nodejs-rhea<0:1.0.16-1.el8
and 102 more
CVE-2019-10172
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries such that an XML external entity (XXE) vulnerability affects codehaus's jackson-mapper-asl libraries. This vulnerability is ...
redhat/eap7-activemq-artemis<0:2.9.0-4.redhat_00010.1.el6ea
redhat/eap7-apache-cxf<0:3.2.12-1.redhat_00001.1.el6ea
redhat/eap7-bouncycastle<0:1.60.0-2.redhat_00002.1.el6ea
redhat/eap7-codehaus-jackson<0:1.9.13-10.redhat_00007.1.el6ea
redhat/eap7-cryptacular<0:1.2.4-1.redhat_00001.1.el6ea
redhat/eap7-glassfish-el<0:3.0.1-5.b08_redhat_00004.1.el6ea
and 268 more
CVE-2018-17190
Apache Spark
CVE-2018-11804
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to ...
Apache Spark>=1.3.0
CVE-2018-11770
Apache Spark>=1.3.0
CVE-2018-8024
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be trick...
Apache Spark>=2.1.0<=2.1.2
Apache Spark>=2.2.0<=2.2.1
Apache Spark=2.3.0
Mozilla Firefox
CVE-2018-1334
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running t...
Apache Spark<=2.1.2
Apache Spark>=2.2.0<=2.2.1
Apache Spark=2.3.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203