Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.spark/spark-core_2.10@2.2.0
Typemaven
Namespaceorg.apache.spark
Namespark-core_2.10
Version2.2.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-3gwu-myk4-ufdj
vulnerability_id VCID-3gwu-myk4-ufdj
summary In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2018-25.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2018-25.yaml
1
reference_url https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E
2
reference_url https://spark.apache.org/security.html#CVE-2018-1334
reference_id
reference_type
scores
url https://spark.apache.org/security.html#CVE-2018-1334
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-1334
reference_id CVE-2018-1334
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2018-1334
4
reference_url https://github.com/advisories/GHSA-6mqq-8r44-vmjc
reference_id GHSA-6mqq-8r44-vmjc
reference_type
scores
url https://github.com/advisories/GHSA-6mqq-8r44-vmjc
fixed_packages
0
url pkg:maven/org.apache.spark/spark-core_2.10@2.2.2
purl pkg:maven/org.apache.spark/spark-core_2.10@2.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8fxy-5cvh-vfag
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.10@2.2.2
aliases CVE-2018-1334, GHSA-6mqq-8r44-vmjc, PYSEC-2018-25
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3gwu-myk4-ufdj
1
url VCID-hx6d-5966-dbgx
vulnerability_id VCID-hx6d-5966-dbgx
summary 
Information Exposure
In Apache Spark it is possible for a malicious user to construct a URL pointing to a Spark cluster UI job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
references
0
reference_url https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E
1
reference_url https://spark.apache.org/security.html#CVE-2018-8024
reference_id
reference_type
scores
url https://spark.apache.org/security.html#CVE-2018-8024
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-8024
reference_id CVE-2018-8024
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2018-8024
3
reference_url https://github.com/advisories/GHSA-8cw6-5qvp-q3wj
reference_id GHSA-8cw6-5qvp-q3wj
reference_type
scores
url https://github.com/advisories/GHSA-8cw6-5qvp-q3wj
fixed_packages
0
url pkg:maven/org.apache.spark/spark-core_2.10@2.2.2
purl pkg:maven/org.apache.spark/spark-core_2.10@2.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8fxy-5cvh-vfag
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.10@2.2.2
aliases CVE-2018-8024, GHSA-8cw6-5qvp-q3wj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hx6d-5966-dbgx
Fixing_vulnerabilities
0
url VCID-hwy7-n4uz-ffa1
vulnerability_id VCID-hwy7-n4uz-ffa1
summary 
Cross-site Scripting
It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
references
0
reference_url http://www.securityfocus.com/bid/99603
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/99603
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-7678
reference_id CVE-2017-7678
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-7678
2
reference_url https://github.com/advisories/GHSA-r34r-f84j-5x4x
reference_id GHSA-r34r-f84j-5x4x
reference_type
scores
url https://github.com/advisories/GHSA-r34r-f84j-5x4x
fixed_packages
0
url pkg:maven/org.apache.spark/spark-core_2.10@2.2.0
purl pkg:maven/org.apache.spark/spark-core_2.10@2.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3gwu-myk4-ufdj
1
vulnerability VCID-hx6d-5966-dbgx
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.10@2.2.0
aliases CVE-2017-7678, GHSA-r34r-f84j-5x4x
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hwy7-n4uz-ffa1
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.10@2.2.0