Search for packages
| purl | pkg:pypi/pyspark@3.1.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2vzj-x4mg-aaan
Aliases: BIT-2023-32007 BIT-spark-2023-32007 CVE-2023-32007 GHSA-59hw-j9g6-mfg3 PYSEC-0000-CVE-2023-32007 PYSEC-2023-72 |
Apache Spark UI vulnerable to Command Injection |
Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-4at1-k27t-aaan
Aliases: BIT-2022-33891 BIT-spark-2022-33891 CVE-2022-33891 GHSA-4x9r-j582-cgr8 PYSEC-2022-236 |
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. |
Affected by 1 other vulnerability. |
|
VCID-j1bf-qu1s-aaaf
Aliases: BIT-2022-31777 BIT-spark-2022-31777 CVE-2022-31777 GHSA-43xg-8wmj-cw8h PYSEC-0000-CVE-2022-31777 PYSEC-2022-42976 |
Apache Spark vulnerable to Injection |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-rpye-3x95-aaah
Aliases: BIT-2023-22946 BIT-spark-2023-22946 CVE-2023-22946 GHSA-329j-jfvr-rhr6 PYSEC-0000-CVE-2023-22946 PYSEC-2023-44 |
Apache Spark vulnerable to Improper Privilege Management |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4at1-k27t-aaan | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. |
BIT-2022-33891
BIT-spark-2022-33891 CVE-2022-33891 GHSA-4x9r-j582-cgr8 PYSEC-2022-236 |
| VCID-tetp-hmwv-aaag | Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later |
BIT-2021-38296
BIT-spark-2021-38296 CVE-2021-38296 GHSA-9rr6-jpg7-9jg6 PYSEC-2022-186 |