Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/pyspark@2.4.8
Typepypi
Namespace
Namepyspark
Version2.4.8
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.4.4
Latest_non_vulnerable_version3.5.2
Affected_by_vulnerabilities
0
url VCID-713x-tc78-rua3
vulnerability_id VCID-713x-tc78-rua3
summary 
This issue affects Apache Spark versions before  3.4.4, 3.5.2 and 4.0.0.



Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.

When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.

This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.


To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or

enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.
references
0
reference_url https://github.com/apache/spark
reference_id
reference_type
scores
url https://github.com/apache/spark
1
reference_url https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
2
reference_url http://www.openwall.com/lists/oss-security/2025/10/14/11
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url http://www.openwall.com/lists/oss-security/2025/10/14/11
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55039
reference_id CVE-2025-55039
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-55039
4
reference_url https://github.com/advisories/GHSA-6p6v-m64v-jx8q
reference_id GHSA-6p6v-m64v-jx8q
reference_type
scores
url https://github.com/advisories/GHSA-6p6v-m64v-jx8q
fixed_packages
0
url pkg:pypi/pyspark@3.4.4
purl pkg:pypi/pyspark@3.4.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.4.4
1
url pkg:pypi/pyspark@3.5.2
purl pkg:pypi/pyspark@3.5.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.5.2
aliases CVE-2025-55039, GHSA-6p6v-m64v-jx8q, PYSEC-2025-184
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-713x-tc78-rua3
1
url VCID-adsy-uby8-gkc9
vulnerability_id VCID-adsy-uby8-gkc9
summary 
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.

Update to Apache Spark 3.4.0 or later, and ensure that 
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its 
default of "false", and is not overridden by submitted applications.
references
0
reference_url https://github.com/apache/spark
reference_id
reference_type
scores
url https://github.com/apache/spark
1
reference_url https://github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74a
reference_id
reference_type
scores
url https://github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74a
2
reference_url https://github.com/apache/spark/pull/39474
reference_id
reference_type
scores
url https://github.com/apache/spark/pull/39474
3
reference_url https://github.com/apache/spark/pull/41428
reference_id
reference_type
scores
url https://github.com/apache/spark/pull/41428
4
reference_url https://github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75a
reference_id
reference_type
scores
url https://github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75a
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yaml
6
reference_url https://issues.apache.org/jira/browse/SPARK-41958
reference_id
reference_type
scores
url https://issues.apache.org/jira/browse/SPARK-41958
7
reference_url https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv
reference_id
reference_type
scores
url https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22946
reference_id CVE-2023-22946
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-22946
9
reference_url https://github.com/advisories/GHSA-329j-jfvr-rhr6
reference_id GHSA-329j-jfvr-rhr6
reference_type
scores
url https://github.com/advisories/GHSA-329j-jfvr-rhr6
fixed_packages
0
url pkg:pypi/pyspark@3.3.2
purl pkg:pypi/pyspark@3.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.3.2
1
url pkg:pypi/pyspark@3.4.0
purl pkg:pypi/pyspark@3.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.4.0
aliases CVE-2023-22946, GHSA-329j-jfvr-rhr6, PYSEC-2023-44
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-adsy-uby8-gkc9
2
url VCID-dwzq-skka-qkhj
vulnerability_id VCID-dwzq-skka-qkhj
summary Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
references
0
reference_url https://github.com/advisories/GHSA-9rr6-jpg7-9jg6
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-9rr6-jpg7-9jg6
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml
2
reference_url https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd
reference_id
reference_type
scores
url https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd
3
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujul2022.html
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-38296
reference_id CVE-2021-38296
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-38296
fixed_packages
0
url pkg:pypi/pyspark@3.1.3
purl pkg:pypi/pyspark@3.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
2
vulnerability VCID-sr15-sfp8-vkfg
3
vulnerability VCID-xxtq-3ec6-m7hj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.3
aliases CVE-2021-38296, GHSA-9rr6-jpg7-9jg6, PYSEC-2022-186
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dwzq-skka-qkhj
3
url VCID-pue3-vp1e-xkat
vulnerability_id VCID-pue3-vp1e-xkat
summary The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
references
0
reference_url https://github.com/advisories/GHSA-4x9r-j582-cgr8
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-4x9r-j582-cgr8
1
reference_url https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
reference_id
reference_type
scores
url https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
fixed_packages
0
url pkg:pypi/pyspark@3.1.1
purl pkg:pypi/pyspark@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
2
vulnerability VCID-dwzq-skka-qkhj
3
vulnerability VCID-pue3-vp1e-xkat
4
vulnerability VCID-sr15-sfp8-vkfg
5
vulnerability VCID-xxtq-3ec6-m7hj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.1
1
url pkg:pypi/pyspark@3.1.3
purl pkg:pypi/pyspark@3.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
2
vulnerability VCID-sr15-sfp8-vkfg
3
vulnerability VCID-xxtq-3ec6-m7hj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.3
2
url pkg:pypi/pyspark@3.2.2
purl pkg:pypi/pyspark@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.2
aliases CVE-2022-33891, GHSA-4x9r-j582-cgr8, PYSEC-2022-236
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pue3-vp1e-xkat
4
url VCID-sr15-sfp8-vkfg
vulnerability_id VCID-sr15-sfp8-vkfg
summary 
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
references
0
reference_url https://github.com/apache/spark
reference_id
reference_type
scores
url https://github.com/apache/spark
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-72.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-72.yaml
2
reference_url https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv
reference_id
reference_type
scores
url https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv
3
reference_url https://spark.apache.org/security.html
reference_id
reference_type
scores
url https://spark.apache.org/security.html
4
reference_url https://www.cve.org/CVERecord?id=CVE-2022-33891
reference_id
reference_type
scores
url https://www.cve.org/CVERecord?id=CVE-2022-33891
5
reference_url https://www.openwall.com/lists/oss-security/2023/05/02/1
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/05/02/1
6
reference_url http://www.openwall.com/lists/oss-security/2023/05/02/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2023/05/02/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-32007
reference_id CVE-2023-32007
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-32007
8
reference_url https://github.com/advisories/GHSA-59hw-j9g6-mfg3
reference_id GHSA-59hw-j9g6-mfg3
reference_type
scores
url https://github.com/advisories/GHSA-59hw-j9g6-mfg3
fixed_packages
0
url pkg:pypi/pyspark@3.1.1
purl pkg:pypi/pyspark@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
2
vulnerability VCID-dwzq-skka-qkhj
3
vulnerability VCID-pue3-vp1e-xkat
4
vulnerability VCID-sr15-sfp8-vkfg
5
vulnerability VCID-xxtq-3ec6-m7hj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.1
1
url pkg:pypi/pyspark@3.2.0
purl pkg:pypi/pyspark@3.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
2
vulnerability VCID-pue3-vp1e-xkat
3
vulnerability VCID-xxtq-3ec6-m7hj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.0
2
url pkg:pypi/pyspark@3.2.2
purl pkg:pypi/pyspark@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.2
aliases CVE-2023-32007, GHSA-59hw-j9g6-mfg3, PYSEC-2023-72
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sr15-sfp8-vkfg
5
url VCID-xxtq-3ec6-m7hj
vulnerability_id VCID-xxtq-3ec6-m7hj
summary A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
references
0
reference_url https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q
reference_id
reference_type
scores
url https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q
fixed_packages
0
url pkg:pypi/pyspark@3.2.2
purl pkg:pypi/pyspark@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-713x-tc78-rua3
1
vulnerability VCID-adsy-uby8-gkc9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.2
aliases CVE-2022-31777, PYSEC-2022-42976
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xxtq-3ec6-m7hj
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@2.4.8