Search for packages
| purl | pkg:pypi/pyspark@2.4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2vzj-x4mg-aaan
Aliases: BIT-2023-32007 BIT-spark-2023-32007 CVE-2023-32007 GHSA-59hw-j9g6-mfg3 PYSEC-0000-CVE-2023-32007 PYSEC-2023-72 |
Apache Spark UI vulnerable to Command Injection |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-3hbk-p6fy-aaah
Aliases: BIT-2020-9480 BIT-spark-2020-9480 CVE-2020-9480 GHSA-wgx7-jwwm-cgjv PYSEC-2020-95 |
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). |
Affected by 5 other vulnerabilities. |
|
VCID-4at1-k27t-aaan
Aliases: BIT-2022-33891 BIT-spark-2022-33891 CVE-2022-33891 GHSA-4x9r-j582-cgr8 PYSEC-2022-236 |
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-j1bf-qu1s-aaaf
Aliases: BIT-2022-31777 BIT-spark-2022-31777 CVE-2022-31777 GHSA-43xg-8wmj-cw8h PYSEC-0000-CVE-2022-31777 PYSEC-2022-42976 |
Apache Spark vulnerable to Injection |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-rpye-3x95-aaah
Aliases: BIT-2023-22946 BIT-spark-2023-22946 CVE-2023-22946 GHSA-329j-jfvr-rhr6 PYSEC-0000-CVE-2023-22946 PYSEC-2023-44 |
Apache Spark vulnerable to Improper Privilege Management |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-tetp-hmwv-aaag
Aliases: BIT-2021-38296 BIT-spark-2021-38296 CVE-2021-38296 GHSA-9rr6-jpg7-9jg6 PYSEC-2022-186 |
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||