| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-4rcx-smaw-c3an |
| vulnerability_id |
VCID-4rcx-smaw-c3an |
| summary |
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-9480, GHSA-wgx7-jwwm-cgjv, PYSEC-2020-95
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4rcx-smaw-c3an |
|
| 1 |
| url |
VCID-713x-tc78-rua3 |
| vulnerability_id |
VCID-713x-tc78-rua3 |
| summary |
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.
Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or
enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-55039, GHSA-6p6v-m64v-jx8q, PYSEC-2025-184
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-713x-tc78-rua3 |
|
| 2 |
| url |
VCID-adsy-uby8-gkc9 |
| vulnerability_id |
VCID-adsy-uby8-gkc9 |
| summary |
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-22946, GHSA-329j-jfvr-rhr6, PYSEC-2023-44
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-adsy-uby8-gkc9 |
|
| 3 |
| url |
VCID-dwzq-skka-qkhj |
| vulnerability_id |
VCID-dwzq-skka-qkhj |
| summary |
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-38296, GHSA-9rr6-jpg7-9jg6, PYSEC-2022-186
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dwzq-skka-qkhj |
|
| 4 |
| url |
VCID-pue3-vp1e-xkat |
| vulnerability_id |
VCID-pue3-vp1e-xkat |
| summary |
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-33891, GHSA-4x9r-j582-cgr8, PYSEC-2022-236
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pue3-vp1e-xkat |
|
| 5 |
| url |
VCID-sr15-sfp8-vkfg |
| vulnerability_id |
VCID-sr15-sfp8-vkfg |
| summary |
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-32007, GHSA-59hw-j9g6-mfg3, PYSEC-2023-72
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sr15-sfp8-vkfg |
|
| 6 |
| url |
VCID-xxtq-3ec6-m7hj |
| vulnerability_id |
VCID-xxtq-3ec6-m7hj |
| summary |
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-31777, PYSEC-2022-42976
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xxtq-3ec6-m7hj |
|
|
|---|