Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/57580?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/57580?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.1.3", "type": "maven", "namespace": "org.apache.spark", "name": "spark-core_2.11", "version": "2.1.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40459?format=api", "vulnerability_id": "VCID-4r6t-jf6t-hkfu", "summary": "Improper Authentication\nIn all versions of Apache Spark, the standalone resource manager accepts code to execute on a `master` host, that then runs that code on `worker` hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-17190", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.79312", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-17190" }, { "reference_url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5@%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5@%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201903-21", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/201903-21" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2020.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "reference_url": "http://www.securityfocus.com/bid/105976", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/105976" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17190", "reference_id": "CVE-2018-17190", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17190" }, { "reference_url": "https://github.com/advisories/GHSA-phg2-9c5g-m4q7", "reference_id": "GHSA-phg2-9c5g-m4q7", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-phg2-9c5g-m4q7" } ], "fixed_packages": [], "aliases": [ "CVE-2018-17190", "GHSA-phg2-9c5g-m4q7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4r6t-jf6t-hkfu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40165?format=api", "vulnerability_id": "VCID-8fxy-5cvh-vfag", "summary": "Improper Authentication\nApache Spark standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property `spark.authenticate.secret` establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.88996", "scoring_system": "epss", "scoring_elements": "0.99543", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11770" }, { "reference_url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485@%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485@%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://spark.apache.org/security.html#CVE-2018-11770", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://spark.apache.org/security.html#CVE-2018-11770" }, { "reference_url": "https://web.archive.org/web/20200227114942/http://www.securityfocus.com/bid/105097", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20200227114942/http://www.securityfocus.com/bid/105097" }, { "reference_url": "http://www.securityfocus.com/bid/105097", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/105097" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1615652", "reference_id": "1615652", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1615652" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11770", "reference_id": "CVE-2018-11770", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11770" }, { "reference_url": "https://github.com/advisories/GHSA-w4r4-65mg-45x2", "reference_id": "GHSA-w4r4-65mg-45x2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w4r4-65mg-45x2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75850?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.3.3" } ], "aliases": [ "CVE-2018-11770", "GHSA-w4r4-65mg-45x2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8fxy-5cvh-vfag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40399?format=api", "vulnerability_id": "VCID-k96c-fsnj-sfbq", "summary": "Improper Input Validation\nThe Apache Spark Maven-based build includes a convenience script, `build/mvn`, that downloads and runs a zinc server to speed up compilation. It has been included in release branches since, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11804", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00646", "scoring_system": "epss", "scoring_elements": "0.71111", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11804" }, { "reference_url": "https://github.com/apache/spark", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/spark" }, { "reference_url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://spark.apache.org/security.html#CVE-2018-11804", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://spark.apache.org/security.html#CVE-2018-11804" }, { "reference_url": "https://web.archive.org/web/20200227103903/http://www.securityfocus.com/bid/105756", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20200227103903/http://www.securityfocus.com/bid/105756" }, { "reference_url": "http://www.securityfocus.com/bid/105756", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/105756" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11804", "reference_id": "CVE-2018-11804", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11804" }, { "reference_url": "https://github.com/advisories/GHSA-62g2-m955-v383", "reference_id": "GHSA-62g2-m955-v383", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-62g2-m955-v383" } ], "fixed_packages": [], "aliases": [ "CVE-2018-11804", "GHSA-62g2-m955-v383" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k96c-fsnj-sfbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35395?format=api", "vulnerability_id": "VCID-ntyz-qt6e-vqf3", "summary": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10099", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.52112", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10099" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-114.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-114.yaml" }, { "reference_url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10099", "reference_id": "CVE-2019-10099", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10099" }, { "reference_url": "https://github.com/advisories/GHSA-fp5j-3fpf-mhj5", "reference_id": "GHSA-fp5j-3fpf-mhj5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fp5j-3fpf-mhj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75850?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.3.3" } ], "aliases": [ "CVE-2019-10099", "GHSA-fp5j-3fpf-mhj5", "PYSEC-2019-114" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ntyz-qt6e-vqf3" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35229?format=api", "vulnerability_id": "VCID-3gwu-myk4-ufdj", "summary": "In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-1334", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.2962", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-1334" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2018-25.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2018-25.yaml" }, { "reference_url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://spark.apache.org/security.html#CVE-2018-1334", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://spark.apache.org/security.html#CVE-2018-1334" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1334", "reference_id": "CVE-2018-1334", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1334" }, { "reference_url": "https://github.com/advisories/GHSA-6mqq-8r44-vmjc", "reference_id": "GHSA-6mqq-8r44-vmjc", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mqq-8r44-vmjc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57580?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" }, { "vulnerability": "VCID-8fxy-5cvh-vfag" }, { "vulnerability": "VCID-k96c-fsnj-sfbq" }, { "vulnerability": "VCID-ntyz-qt6e-vqf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/57581?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" }, { "vulnerability": "VCID-8fxy-5cvh-vfag" }, { "vulnerability": "VCID-ntyz-qt6e-vqf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/57582?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" }, { "vulnerability": "VCID-8fxy-5cvh-vfag" }, { "vulnerability": "VCID-ntyz-qt6e-vqf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.3.1" } ], "aliases": [ "CVE-2018-1334", "GHSA-6mqq-8r44-vmjc", "PYSEC-2018-25" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3gwu-myk4-ufdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40080?format=api", "vulnerability_id": "VCID-hx6d-5966-dbgx", "summary": "Information Exposure\nIn Apache Spark it is possible for a malicious user to construct a URL pointing to a Spark cluster UI job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-8024", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.61137", "scoring_system": "epss", "scoring_elements": "0.98338", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-8024" }, { "reference_url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E" }, { "reference_url": "https://spark.apache.org/security.html#CVE-2018-8024", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://spark.apache.org/security.html#CVE-2018-8024" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8024", "reference_id": "CVE-2018-8024", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8024" }, { "reference_url": "https://github.com/advisories/GHSA-8cw6-5qvp-q3wj", "reference_id": "GHSA-8cw6-5qvp-q3wj", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8cw6-5qvp-q3wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57580?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" }, { "vulnerability": "VCID-8fxy-5cvh-vfag" }, { "vulnerability": "VCID-k96c-fsnj-sfbq" }, { "vulnerability": "VCID-ntyz-qt6e-vqf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/57581?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" }, { "vulnerability": "VCID-8fxy-5cvh-vfag" }, { "vulnerability": "VCID-ntyz-qt6e-vqf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/57582?format=api", "purl": "pkg:maven/org.apache.spark/spark-core_2.11@2.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4r6t-jf6t-hkfu" }, { "vulnerability": "VCID-8fxy-5cvh-vfag" }, { "vulnerability": "VCID-ntyz-qt6e-vqf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.3.1" } ], "aliases": [ "CVE-2018-8024", "GHSA-8cw6-5qvp-q3wj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hx6d-5966-dbgx" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.11@2.1.3" }