VulnerableCode Package Details - pkg:maven/org.apache.spark/spark-core

Search for packages

Vulnerability	Summary	Fixed by
VCID-pa42-1gk4-9yhj Aliases: CVE-2018-11770 GHSA-w4r4-65mg-45x2	Improper Authentication Apache Spark standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property `spark.authenticate.secret` establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API.	2.3.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-y6p4-rd9t-cqad Aliases: CVE-2018-1334 GHSA-6mqq-8r44-vmjc PYSEC-2018-25	In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.	2.1.3 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-pa42-1gk4-9yhj
Aliases:
CVE-2018-11770
GHSA-w4r4-65mg-45x2

Improper Authentication Apache Spark standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property `spark.authenticate.secret` establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API.

2.3.3
Affected by 2 other vulnerabilities.

VCID-y6p4-rd9t-cqad
Aliases:
CVE-2018-1334
GHSA-6mqq-8r44-vmjc
PYSEC-2018-25

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

2.1.3
Affected by 5 other vulnerabilities.

2.2.2
Affected by 4 other vulnerabilities.

2.3.1
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T15:57:23.202363+00:00	GHSA Importer	Affected by	VCID-y6p4-rd9t-cqad	https://github.com/advisories/GHSA-6mqq-8r44-vmjc	38.0.0
2026-04-01T15:57:06.107007+00:00	GHSA Importer	Affected by	VCID-pa42-1gk4-9yhj	https://github.com/advisories/GHSA-w4r4-65mg-45x2	38.0.0
2026-04-01T12:48:08.343346+00:00	GitLab Importer	Affected by	VCID-pa42-1gk4-9yhj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core_2.11/CVE-2018-11770.yml	38.0.0