{"url":"http://public2.vulnerablecode.io/api/packages/34241?format=json","purl":"pkg:pypi/apache-airflow-providers-apache-spark@1.0.0rc1","type":"pypi","namespace":"","name":"apache-airflow-providers-apache-spark","version":"1.0.0rc1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.1.3","latest_non_vulnerable_version":"4.1.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17304?format=json","vulnerability_id":"VCID-8k6a-fph5-pkad","summary":"Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28710","reference_id":"","reference_type":"","scores":[{"value":"0.01884","scoring_system":"epss","scoring_elements":"0.83482","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28710"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/30223","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T15:28:06Z/"}],"url":"https://github.com/apache/airflow/pull/30223"},{"reference_url":"https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T15:28:06Z/"}],"url":"https://lists.apache.org/thread/lb9w9114ow00h2nkn8bjm106v5x1p1d2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/04/07/3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T15:28:06Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/04/07/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28710","reference_id":"CVE-2023-28710","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28710"},{"reference_url":"https://github.com/advisories/GHSA-ffj9-4crc-q7wf","reference_id":"GHSA-ffj9-4crc-q7wf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ffj9-4crc-q7wf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34273?format=json","purl":"pkg:pypi/apache-airflow-providers-apache-spark@4.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tue4-mras-u7ec"},{"vulnerability":"VCID-vdqq-8m22-d3dy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-apache-spark@4.0.1"}],"aliases":["CVE-2023-28710","GHSA-ffj9-4crc-q7wf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8k6a-fph5-pkad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8867?format=json","vulnerability_id":"VCID-tue4-mras-u7ec","summary":"Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\n\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\n\nTo view the warning in the docs please visit  https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40195","reference_id":"","reference_type":"","scores":[{"value":"0.03032","scoring_system":"epss","scoring_elements":"0.86891","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40195"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/6850b5c777fa515e110ad1daa85242209a8ec6c0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/6850b5c777fa515e110ad1daa85242209a8ec6c0"},{"reference_url":"https://github.com/apache/airflow/pull/33233","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:27:26Z/"}],"url":"https://github.com/apache/airflow/pull/33233"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-apache-spark/PYSEC-2023-156.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-apache-spark/PYSEC-2023-156.yaml"},{"reference_url":"https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:27:26Z/"}],"url":"https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40195","reference_id":"CVE-2023-40195","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40195"},{"reference_url":"https://github.com/advisories/GHSA-8q28-pw9g-w82c","reference_id":"GHSA-8q28-pw9g-w82c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8q28-pw9g-w82c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34282?format=json","purl":"pkg:pypi/apache-airflow-providers-apache-spark@4.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-apache-spark@4.1.3"}],"aliases":["CVE-2023-40195","GHSA-8q28-pw9g-w82c","PYSEC-2023-156"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tue4-mras-u7ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18287?format=json","vulnerability_id":"VCID-vdqq-8m22-d3dy","summary":"Apache Airflow Spark Provider Improper Input Validation vulnerability\nApache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server.\nIt is recommended to upgrade to a version that is not affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40272","reference_id":"","reference_type":"","scores":[{"value":"0.00648","scoring_system":"epss","scoring_elements":"0.71129","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40272"},{"reference_url":"https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T19:37:59Z/"}],"url":"https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/08/17/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T19:37:59Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/08/17/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/08/18/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T19:37:59Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/08/18/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40272","reference_id":"CVE-2023-40272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40272"},{"reference_url":"https://github.com/advisories/GHSA-r2f6-6928-fh8f","reference_id":"GHSA-r2f6-6928-fh8f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2f6-6928-fh8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34282?format=json","purl":"pkg:pypi/apache-airflow-providers-apache-spark@4.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-apache-spark@4.1.3"}],"aliases":["CVE-2023-40272","GHSA-r2f6-6928-fh8f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vdqq-8m22-d3dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204822?format=json","vulnerability_id":"VCID-y76t-bjep-43fd","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40954","reference_id":"","reference_type":"","scores":[{"value":"0.01131","scoring_system":"epss","scoring_elements":"0.78639","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40954"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/27646","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:49:57Z/"}],"url":"https://github.com/apache/airflow/pull/27646"},{"reference_url":"https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:49:57Z/"}],"url":"https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40954","reference_id":"CVE-2022-40954","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40954"},{"reference_url":"https://github.com/advisories/GHSA-45r6-j3cc-6mxx","reference_id":"GHSA-45r6-j3cc-6mxx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-45r6-j3cc-6mxx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34271?format=json","purl":"pkg:pypi/apache-airflow-providers-apache-spark@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8k6a-fph5-pkad"},{"vulnerability":"VCID-tue4-mras-u7ec"},{"vulnerability":"VCID-vdqq-8m22-d3dy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-apache-spark@4.0.0"}],"aliases":["CVE-2022-40954","GHSA-45r6-j3cc-6mxx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y76t-bjep-43fd"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-apache-spark@1.0.0rc1"}