{"url":"http://public2.vulnerablecode.io/api/packages/12870?format=json","purl":"pkg:pypi/pyspark@2.2.3","type":"pypi","namespace":"","name":"pyspark","version":"2.2.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.4.4","latest_non_vulnerable_version":"3.5.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35577?format=json","vulnerability_id":"VCID-4rcx-smaw-c3an","summary":"In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9480.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9480.json"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2020-95.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2020-95.yaml"},{"reference_url":"https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@%3Cuser.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@%3Cuser.spark.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b@%3Ccommits.doris.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b@%3Ccommits.doris.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d@%3Ccommits.submarine.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d@%3Ccommits.submarine.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@%3Cdev.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@%3Cdev.spark.apache.org%3E"},{"reference_url":"https://spark.apache.org/security.html#CVE-2020-9480","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://spark.apache.org/security.html#CVE-2020-9480"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1887887","reference_id":"1887887","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1887887"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9480","reference_id":"CVE-2020-9480","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9480"},{"reference_url":"https://github.com/advisories/GHSA-wgx7-jwwm-cgjv","reference_id":"GHSA-wgx7-jwwm-cgjv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wgx7-jwwm-cgjv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/17713?format=json","purl":"pkg:pypi/pyspark@2.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-dwzq-skka-qkhj"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@2.4.6"}],"aliases":["CVE-2020-9480","GHSA-wgx7-jwwm-cgjv","PYSEC-2020-95"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4rcx-smaw-c3an"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37133?format=json","vulnerability_id":"VCID-713x-tc78-rua3","summary":"This issue affects Apache Spark versions before  3.4.4, 3.5.2 and 4.0.0.\n\n\n\nApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\n\nWhen spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.\n\nThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\n\n\nTo mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or\n\nenable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.","references":[{"reference_url":"https://github.com/apache/spark","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark"},{"reference_url":"https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/10/14/11","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/10/14/11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55039","reference_id":"CVE-2025-55039","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55039"},{"reference_url":"https://github.com/advisories/GHSA-6p6v-m64v-jx8q","reference_id":"GHSA-6p6v-m64v-jx8q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6p6v-m64v-jx8q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46381?format=json","purl":"pkg:pypi/pyspark@3.4.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/46382?format=json","purl":"pkg:pypi/pyspark@3.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.5.2"}],"aliases":["CVE-2025-55039","GHSA-6p6v-m64v-jx8q","PYSEC-2025-184"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-713x-tc78-rua3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36419?format=json","vulnerability_id":"VCID-adsy-uby8-gkc9","summary":"In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.\n\nUpdate to Apache Spark 3.4.0 or later, and ensure that \nspark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its \ndefault of \"false\", and is not overridden by submitted applications.","references":[{"reference_url":"https://github.com/apache/spark","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark"},{"reference_url":"https://github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74a","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark/commit/909da96e1471886a01a9e1def93630c4fd40e74a"},{"reference_url":"https://github.com/apache/spark/pull/39474","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark/pull/39474"},{"reference_url":"https://github.com/apache/spark/pull/41428","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark/pull/41428"},{"reference_url":"https://github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75a","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/degant/spark/commit/bfba57724d2520e0fcaa7990f7257c21d11cd75a"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-44.yaml"},{"reference_url":"https://issues.apache.org/jira/browse/SPARK-41958","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SPARK-41958"},{"reference_url":"https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22946","reference_id":"CVE-2023-22946","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22946"},{"reference_url":"https://github.com/advisories/GHSA-329j-jfvr-rhr6","reference_id":"GHSA-329j-jfvr-rhr6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-329j-jfvr-rhr6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33284?format=json","purl":"pkg:pypi/pyspark@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/33285?format=json","purl":"pkg:pypi/pyspark@3.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.4.0"}],"aliases":["CVE-2023-22946","GHSA-329j-jfvr-rhr6","PYSEC-2023-44"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-adsy-uby8-gkc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36050?format=json","vulnerability_id":"VCID-dwzq-skka-qkhj","summary":"Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later","references":[{"reference_url":"https://github.com/advisories/GHSA-9rr6-jpg7-9jg6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9rr6-jpg7-9jg6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml"},{"reference_url":"https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38296","reference_id":"CVE-2021-38296","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38296"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26851?format=json","purl":"pkg:pypi/pyspark@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.3"}],"aliases":["CVE-2021-38296","GHSA-9rr6-jpg7-9jg6","PYSEC-2022-186"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dwzq-skka-qkhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35395?format=json","vulnerability_id":"VCID-ntyz-qt6e-vqf3","summary":"Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.","references":[{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-114.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-114.yaml"},{"reference_url":"https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10099","reference_id":"CVE-2019-10099","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10099"},{"reference_url":"https://github.com/advisories/GHSA-fp5j-3fpf-mhj5","reference_id":"GHSA-fp5j-3fpf-mhj5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fp5j-3fpf-mhj5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13928?format=json","purl":"pkg:pypi/pyspark@2.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4rcx-smaw-c3an"},{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-dwzq-skka-qkhj"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@2.3.3"}],"aliases":["CVE-2019-10099","GHSA-fp5j-3fpf-mhj5","PYSEC-2019-114"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ntyz-qt6e-vqf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36145?format=json","vulnerability_id":"VCID-pue3-vp1e-xkat","summary":"The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.","references":[{"reference_url":"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33891.json"},{"reference_url":"https://github.com/advisories/GHSA-4x9r-j582-cgr8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4x9r-j582-cgr8"},{"reference_url":"https://github.com/apache/spark","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-236.yaml"},{"reference_url":"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-33891","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-33891"},{"reference_url":"https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891"},{"reference_url":"https://www.openwall.com/lists/oss-security/2023/05/02/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2023/05/02/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/05/02/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/05/02/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2174263","reference_id":"2174263","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2174263"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26849?format=json","purl":"pkg:pypi/pyspark@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-dwzq-skka-qkhj"},{"vulnerability":"VCID-k829-sb45-hba9"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/26851?format=json","purl":"pkg:pypi/pyspark@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/28592?format=json","purl":"pkg:pypi/pyspark@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.2"}],"aliases":["CVE-2022-33891","GHSA-4x9r-j582-cgr8","PYSEC-2022-236"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pue3-vp1e-xkat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36432?format=json","vulnerability_id":"VCID-sr15-sfp8-vkfg","summary":"** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n\nUsers are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.","references":[{"reference_url":"https://github.com/apache/spark","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-72.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-72.yaml"},{"reference_url":"https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv"},{"reference_url":"https://spark.apache.org/security.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://spark.apache.org/security.html"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2022-33891","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2022-33891"},{"reference_url":"https://www.openwall.com/lists/oss-security/2023/05/02/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2023/05/02/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/05/02/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/05/02/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32007","reference_id":"CVE-2023-32007","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32007"},{"reference_url":"https://github.com/advisories/GHSA-59hw-j9g6-mfg3","reference_id":"GHSA-59hw-j9g6-mfg3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-59hw-j9g6-mfg3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26849?format=json","purl":"pkg:pypi/pyspark@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-dwzq-skka-qkhj"},{"vulnerability":"VCID-k829-sb45-hba9"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/28590?format=json","purl":"pkg:pypi/pyspark@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/28592?format=json","purl":"pkg:pypi/pyspark@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.2"}],"aliases":["CVE-2023-32007","GHSA-59hw-j9g6-mfg3","PYSEC-2023-72"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sr15-sfp8-vkfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36289?format=json","vulnerability_id":"VCID-xxtq-3ec6-m7hj","summary":"A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31777.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31777.json"},{"reference_url":"https://github.com/apache/spark","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark"},{"reference_url":"https://github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871ad","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871ad"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-42976.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-42976.yaml"},{"reference_url":"https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31777","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31777"},{"reference_url":"https://web.archive.org/web/20220728105026/https://issues.apache.org/jira/browse/SPARK-39505","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20220728105026/https://issues.apache.org/jira/browse/SPARK-39505"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/11/01/14","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2022/11/01/14"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2145264","reference_id":"2145264","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2145264"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2100","reference_id":"RHSA-2023:2100","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28592?format=json","purl":"pkg:pypi/pyspark@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/33283?format=json","purl":"pkg:pypi/pyspark@3.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@3.3.1"}],"aliases":["CVE-2022-31777","GHSA-43xg-8wmj-cw8h","PYSEC-2022-42976"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xxtq-3ec6-m7hj"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35317?format=json","vulnerability_id":"VCID-mmf5-ctmn-b3ep","summary":"When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11760.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11760.json"},{"reference_url":"https://github.com/advisories/GHSA-fvxv-9xxr-h7wj","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvxv-9xxr-h7wj"},{"reference_url":"https://github.com/apache/spark","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/spark"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-169.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-169.yaml"},{"reference_url":"https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E"},{"reference_url":"https://web.archive.org/web/20200227091119/http://www.securityfocus.com/bid/106786","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200227091119/http://www.securityfocus.com/bid/106786"},{"reference_url":"https://web.archive.org/web/20200925111106/https://issues.apache.org/jira/browse/SPARK-26802","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200925111106/https://issues.apache.org/jira/browse/SPARK-26802"},{"reference_url":"http://www.securityfocus.com/bid/106786","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/106786"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1672596","reference_id":"1672596","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1672596"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11760","reference_id":"CVE-2018-11760","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11760"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/12870?format=json","purl":"pkg:pypi/pyspark@2.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4rcx-smaw-c3an"},{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-dwzq-skka-qkhj"},{"vulnerability":"VCID-ntyz-qt6e-vqf3"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@2.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/12869?format=json","purl":"pkg:pypi/pyspark@2.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4rcx-smaw-c3an"},{"vulnerability":"VCID-713x-tc78-rua3"},{"vulnerability":"VCID-adsy-uby8-gkc9"},{"vulnerability":"VCID-dwzq-skka-qkhj"},{"vulnerability":"VCID-ntyz-qt6e-vqf3"},{"vulnerability":"VCID-pue3-vp1e-xkat"},{"vulnerability":"VCID-sr15-sfp8-vkfg"},{"vulnerability":"VCID-xxtq-3ec6-m7hj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@2.3.2"}],"aliases":["CVE-2018-11760","GHSA-fvxv-9xxr-h7wj","PYSEC-2019-169"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mmf5-ctmn-b3ep"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyspark@2.2.3"}