Search for packages
| purl | pkg:maven/org.apache.spark/spark-core@3.0.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5uaa-p1dd-3yb3
Aliases: BIT-spark-2023-32007 CVE-2023-32007 GHSA-59hw-j9g6-mfg3 PYSEC-2023-72 |
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0. | There are no reported fixed by versions. |
|
VCID-hfnr-s2a7-bkbv
Aliases: BIT-spark-2022-33891 CVE-2022-33891 GHSA-4x9r-j582-cgr8 PYSEC-2022-236 |
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. | There are no reported fixed by versions. |
|
VCID-nyxu-ekhs-gyb5
Aliases: CVE-2020-27218 GHSA-86wm-rrjm-8wh8 |
Buffer not correctly recycled in Gzip Request inflation ### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-03T21:27:20.589087+00:00 | GitLab Importer | Affected by | VCID-hfnr-s2a7-bkbv | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core/CVE-2022-33891.yml | 38.1.0 |
| 2026-04-02T12:37:42.202874+00:00 | GitLab Importer | Affected by | VCID-nyxu-ekhs-gyb5 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core/CVE-2020-27218.yml | 38.0.0 |
| 2026-04-01T12:51:15.006866+00:00 | GitLab Importer | Affected by | VCID-5uaa-p1dd-3yb3 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core/CVE-2023-32007.yml | 38.0.0 |