Search for packages
| purl | pkg:pypi/pyspark@0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2md5-chbw-aaaj
Aliases: CVE-2018-1334 GHSA-6mqq-8r44-vmjc PYSEC-2018-25 |
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-4at1-k27t-aaan
Aliases: BIT-2022-33891 BIT-spark-2022-33891 CVE-2022-33891 GHSA-4x9r-j582-cgr8 PYSEC-2022-236 |
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-6e2g-d1n5-aaam
Aliases: CVE-2019-10099 GHSA-fp5j-3fpf-mhj5 PYSEC-2019-114 PYSEC-2019-44 |
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. |
Affected by 6 other vulnerabilities. |
|
VCID-j1bf-qu1s-aaaf
Aliases: BIT-2022-31777 BIT-spark-2022-31777 CVE-2022-31777 GHSA-43xg-8wmj-cw8h PYSEC-0000-CVE-2022-31777 PYSEC-2022-42976 |
Apache Spark vulnerable to Injection |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-tetp-hmwv-aaag
Aliases: BIT-2021-38296 BIT-spark-2021-38296 CVE-2021-38296 GHSA-9rr6-jpg7-9jg6 PYSEC-2022-186 |
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-03-29T10:48:01.720655+00:00 | GHSA Importer | Affected by | VCID-4at1-k27t-aaan | None | 36.0.0 |
| 2025-03-29T10:47:57.888961+00:00 | GHSA Importer | Affected by | VCID-j1bf-qu1s-aaaf | None | 36.0.0 |
| 2025-01-17T02:39:26.815863+00:00 | GHSA Importer | Affected by | VCID-tetp-hmwv-aaag | None | 35.1.0 |
| 2024-11-21T18:37:13.328470+00:00 | GHSA Importer | Affected by | VCID-4at1-k27t-aaan | https://github.com/advisories/GHSA-4x9r-j582-cgr8 | 35.0.0 |
| 2024-10-25T00:30:43.856697+00:00 | GHSA Importer | Affected by | VCID-6e2g-d1n5-aaam | https://github.com/advisories/GHSA-fp5j-3fpf-mhj5 | 34.0.2 |
| 2024-10-22T13:45:14.483313+00:00 | GHSA Importer | Affected by | VCID-2md5-chbw-aaaj | https://github.com/advisories/GHSA-6mqq-8r44-vmjc | 34.0.2 |
| 2024-09-17T22:13:56.483334+00:00 | GHSA Importer | Affected by | VCID-4at1-k27t-aaan | https://github.com/advisories/GHSA-4x9r-j582-cgr8 | 34.0.1 |
| 2024-09-17T22:13:56.415386+00:00 | GHSA Importer | Affected by | VCID-j1bf-qu1s-aaaf | https://github.com/advisories/GHSA-43xg-8wmj-cw8h | 34.0.1 |
| 2024-01-03T17:44:06.430220+00:00 | GHSA Importer | Affected by | VCID-4at1-k27t-aaan | https://github.com/advisories/GHSA-4x9r-j582-cgr8 | 34.0.0rc1 |
| 2024-01-03T17:44:06.366963+00:00 | GHSA Importer | Affected by | VCID-j1bf-qu1s-aaaf | https://github.com/advisories/GHSA-43xg-8wmj-cw8h | 34.0.0rc1 |