Search for packages
| purl | pkg:pypi/pyspark@2.2.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hnx-b71k-mqat
Aliases: BIT-spark-2023-22946 CVE-2023-22946 GHSA-329j-jfvr-rhr6 PYSEC-2023-44 |
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-21dx-vph5-yuhe
Aliases: BIT-spark-2020-9480 CVE-2020-9480 GHSA-wgx7-jwwm-cgjv PYSEC-2020-95 |
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). |
Affected by 5 other vulnerabilities. |
|
VCID-5uaa-p1dd-3yb3
Aliases: BIT-spark-2023-32007 CVE-2023-32007 GHSA-59hw-j9g6-mfg3 PYSEC-2023-72 |
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-aehs-6sa9-a3es
Aliases: BIT-spark-2021-38296 CVE-2021-38296 GHSA-9rr6-jpg7-9jg6 PYSEC-2022-186 |
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later |
Affected by 4 other vulnerabilities. |
|
VCID-h81x-x7wm-fqgx
Aliases: CVE-2018-11760 GHSA-fvxv-9xxr-h7wj PYSEC-2019-169 |
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-hfnr-s2a7-bkbv
Aliases: BIT-spark-2022-33891 CVE-2022-33891 GHSA-4x9r-j582-cgr8 PYSEC-2022-236 |
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-tytb-xy56-kffn
Aliases: PYSEC-2019-44 |
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. |
Affected by 6 other vulnerabilities. |
|
VCID-v1xx-eddq-aqcu
Aliases: BIT-spark-2022-31777 CVE-2022-31777 GHSA-43xg-8wmj-cw8h PYSEC-2022-42976 |
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-vqmm-ru8x-ukcx
Aliases: CVE-2019-10099 GHSA-fp5j-3fpf-mhj5 PYSEC-2019-114 |
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-y6p4-rd9t-cqad | In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. |
CVE-2018-1334
GHSA-6mqq-8r44-vmjc PYSEC-2018-25 |