VulnerableCode Package Details - pkg:maven/org.apache.spark/spark-core@2.1.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-6e2g-d1n5-aaam Aliases: CVE-2019-10099 GHSA-fp5j-3fpf-mhj5 PYSEC-2019-114 PYSEC-2019-44	Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.	2.3.2 Affected by 0 other vulnerabilities.
VCID-d4tq-5zz1-aaaq Aliases: CVE-2018-11804 GHSA-62g2-m955-v383	Improper Input Validation The Apache Spark Maven-based build includes a convenience script, `build/mvn`, that downloads and runs a zinc server to speed up compilation. It has been included in release branches since, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-6e2g-d1n5-aaam
Aliases:
CVE-2019-10099
GHSA-fp5j-3fpf-mhj5
PYSEC-2019-114
PYSEC-2019-44

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

2.3.2
Affected by 0 other vulnerabilities.

VCID-d4tq-5zz1-aaaq
Aliases:
CVE-2018-11804
GHSA-62g2-m955-v383

Improper Input Validation The Apache Spark Maven-based build includes a convenience script, `build/mvn`, that downloads and runs a zinc server to speed up compilation. It has been included in release branches since, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T20:02:33.936240+00:00	GHSA Importer	Affected by	VCID-d4tq-5zz1-aaaq	None	36.0.0
2024-09-17T22:37:27.354274+00:00	GitLab Importer	Affected by	VCID-6e2g-d1n5-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core/CVE-2019-10099.yml	34.0.1
2024-09-17T21:59:57.750796+00:00	GHSA Importer	Affected by	VCID-d4tq-5zz1-aaaq	https://github.com/advisories/GHSA-62g2-m955-v383	34.0.1
2024-01-03T18:00:22.132106+00:00	GitLab Importer	Affected by	VCID-6e2g-d1n5-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.spark/spark-core/CVE-2019-10099.yml	34.0.0rc1
2024-01-03T17:39:24.069695+00:00	GHSA Importer	Affected by	VCID-d4tq-5zz1-aaaq	https://github.com/advisories/GHSA-62g2-m955-v383	34.0.0rc1