Remote Code Execution (RCE)

spark-network-common is vulnerable to remote code execution. The vulnerability exists it is possible to create a RPC request to start an application's resources on the Spark cluster without the need of a shared key, allowing it to be leveraged for running shell commands...

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the...

Cross-Site Scripting (XSS)

spark-core is vulnerable to cross-site scripting XSS. An attacker is able to inject arbitrary script into a user's browser by constructing a URL that points to a Spark cluster's job and stage information pages. When exploited, an attacker is able to steal the user's credentials or information fro...