Search for packages
| purl | pkg:pypi/pyspark@3.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hnx-b71k-mqat
Aliases: BIT-spark-2023-22946 CVE-2023-22946 GHSA-329j-jfvr-rhr6 PYSEC-2023-44 |
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-v1xx-eddq-aqcu
Aliases: BIT-spark-2022-31777 CVE-2022-31777 GHSA-43xg-8wmj-cw8h PYSEC-2022-42976 |
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||