VulnerableCode Package Details - pkg:maven/org.apache.spark/spark-core

Search for packages

Vulnerability	Summary	Fixed by
VCID-6he5-ksrc-8kck Aliases: CVE-2017-12612 GHSA-8rhc-48pp-52gr PYSEC-2017-147	In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.	2.1.2 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-adht-u2kn-j3hh Aliases: CVE-2017-7678 GHSA-r34r-f84j-5x4x	Cross-site Scripting It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.	2.2.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-as3y-ffvw-rube Aliases: CVE-2018-17190 GHSA-phg2-9c5g-m4q7	Improper Authentication In all versions of Apache Spark, the standalone resource manager accepts code to execute on a `master` host, that then runs that code on `worker` hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-6he5-ksrc-8kck
Aliases:
CVE-2017-12612
GHSA-8rhc-48pp-52gr
PYSEC-2017-147

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.

2.1.2
Affected by 6 other vulnerabilities.

VCID-adht-u2kn-j3hh
Aliases:
CVE-2017-7678
GHSA-r34r-f84j-5x4x

Cross-site Scripting It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

2.2.0
Affected by 4 other vulnerabilities.

VCID-as3y-ffvw-rube
Aliases:
CVE-2018-17190
GHSA-phg2-9c5g-m4q7

Improper Authentication In all versions of Apache Spark, the standalone resource manager accepts code to execute on a `master` host, that then runs that code on `worker` hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T20:50:21.810416+00:00	GitLab Importer	Affected by	VCID-as3y-ffvw-rube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2018-17190.yml	38.4.0
2026-04-16T20:49:50.347088+00:00	GitLab Importer	Affected by	VCID-6he5-ksrc-8kck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-12612.yml	38.4.0
2026-04-16T20:49:47.268136+00:00	GitLab Importer	Affected by	VCID-adht-u2kn-j3hh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-7678.yml	38.4.0
2026-04-11T22:01:00.722230+00:00	GitLab Importer	Affected by	VCID-as3y-ffvw-rube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2018-17190.yml	38.3.0
2026-04-11T22:00:48.801342+00:00	GitLab Importer	Affected by	VCID-6he5-ksrc-8kck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-12612.yml	38.3.0
2026-04-11T22:00:45.176860+00:00	GitLab Importer	Affected by	VCID-adht-u2kn-j3hh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-7678.yml	38.3.0
2026-04-02T22:14:02.986023+00:00	GitLab Importer	Affected by	VCID-as3y-ffvw-rube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2018-17190.yml	38.1.0
2026-04-02T22:13:52.252468+00:00	GitLab Importer	Affected by	VCID-6he5-ksrc-8kck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-12612.yml	38.1.0
2026-04-02T22:13:49.121064+00:00	GitLab Importer	Affected by	VCID-adht-u2kn-j3hh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-7678.yml	38.1.0
2026-04-01T16:31:33.501073+00:00	GitLab Importer	Affected by	VCID-as3y-ffvw-rube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2018-17190.yml	38.0.0
2026-04-01T16:31:21.782806+00:00	GitLab Importer	Affected by	VCID-6he5-ksrc-8kck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-12612.yml	38.0.0
2026-04-01T16:31:18.924739+00:00	GitLab Importer	Affected by	VCID-adht-u2kn-j3hh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.10/CVE-2017-7678.yml	38.0.0