ai.catboost:catboost-spark_3.0_2.12 (>=0.25 <=1.2.8), ai.catboost:catboost-spark_3.1_2.12 (>=1.0.1 <=1.2.8) +1478 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.12 (>=3.0.0-preview <=3.5.6)

org.apache.spark:spark-core2.12 MAVEN version =3.0.0-preview, =0.25, =1.0.1, =1.0.6, =1.1, =1.2, =1.2.3, =0.0.25, =0.0.25, =0.0.62, =0.0.25, =0.0.86, =0.0.8, =0.0.6, =0.20.0, =0.22.0, =0.36.0 and more Source cves: CVE-2025-54920 Source advisory: SNYK:JAVA-ORGAPACHESPARK-15623151...

ai.catboost:catboost-spark_3.2_2.13 (>=1.0.6 <=1.2.10), ai.catboost:catboost-spark_3.3_2.13 (>=1.1.1 <=1.2.10) +314 more potentially affected by CVE-2025-55039 via org.apache.spark:spark-network-common_2.13 (>=3.2.0 <=3.4.3)

org.apache.spark:spark-network-common2.13 MAVEN version =3.2.0, =1.0.6, =1.1.1, =1.2, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =0.0.14, =0.20, =1.1.3, =1.4.0, =1.5.0, =1.5.0, =1.8.0 and more Source cves: CVE-2025-55039 Source advisory: OSV:GHSA-6P6V-M64V-JX8Q...

CVE-2025-55039

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true it is set to false by default, but...

ai.catboost:catboost-spark_3.2_2.13 (>=1.0.6 <=1.2.10), ai.catboost:catboost-spark_3.3_2.13 (>=1.1.1 <=1.2.10) +314 more potentially affected by CVE-2025-55039 via org.apache.spark:spark-network-common_2.13 (>=3.2.0 <=3.4.3)

org.apache.spark:spark-network-common2.13 MAVEN version =3.2.0, =1.0.6, =1.1.1, =1.2, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =0.0.14, =0.20, =1.1.3, =1.4.0, =1.5.0, =1.5.0, =1.8.0 and more Source cves: CVE-2025-55039 Source advisory: SNYK:JAVA-ORGAPACHESPARK-13553869...

SUSE CVE-2018-1334

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application...

SUSE CVE-2018-11760

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1...

ae.teletronics.nlp:entityextraction (=1.3), ai.catboost:catboost-spark_2.11 (>=0.25-rc1 <=0.25-rc3) +9217 more potentially affected by CVE-2022-45693 via org.codehaus.jettison:jettison (>=1.0 <=1.5.1)

org.codehaus.jettison:jettison MAVEN version =1.0, =0.25-rc1, =0.25-rc1, =0.25, =0.25, =0.25, =0.25, =1.0.1, =1.0.6, =1.0.6, =1.1, =1.1.1, =1.2, =1.2, =1.2.3, =1.2.10 and more Source cves: CVE-2022-45693 Source advisory: OSV:GHSA-GRR4-WV38-F68W...

Apache Spark Unauthenticated Command Injection RCE

This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs...

PYSEC-2022-236

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to...

ai.catboost:catboost-spark_3.0_2.12 (>=0.25 <=1.2.8), ai.catboost:catboost-spark_3.1_2.12 (>=1.0.1 <=1.2.8) +3347 more potentially affected by CVE-2021-28168 via org.glassfish.jersey.core:jersey-common (>=2.28 <=2.33)

org.glassfish.jersey.core:jersey-common MAVEN version =2.28, =0.25, =1.0.1, =0.0.25, =0.0.25, =0.0.62, =0.0.25, =0.0.86, =0.0.8, =0.0.6, =0.0.12, =0.0.1, =3.34.0.3-1-3.0, =0.0.3, =0.0.3, =0.0.8 and more Source cves: CVE-2021-28168 Source advisory: OSV:GHSA-C43Q-5HPJ-4CRV...

ae.teletronics.nlp:entityextraction (=1.3), ae.teletronics.nlp:w2vec (=1.0) +635 more potentially affected by CVE-2018-1334 via org.apache.spark:spark-core_2.11 (>=1.2.0 <=2.1.2)

org.apache.spark:spark-core2.11 MAVEN version =1.2.0, =2.0.0, =2.0.0, =2.0.0, =2.0.18, =2.0.0, =1.0.0, =0.5.2, =1.0, =2.11-2.1.1-2.2.0, =4.2.0, =4.2.0, =5.0.0 and more Source cves: CVE-2018-1334 Source advisory: OSV:GHSA-6MQQ-8R44-VMJC...

ai.h2o:sparkling-water-core_2.11 (>=2.1.0 <=2.1.24), ai.h2o:sparkling-water-examples_2.11 (>=2.1.0 <=2.1.31) +296 more potentially affected by CVE-2018-8024 via org.apache.spark:spark-core_2.11 (>=2.1.0 <=2.1.2)

org.apache.spark:spark-core2.11 MAVEN version =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.17, =2.1.0, =1.0.0, =2.11-2.1.1-2.2.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =1.0.0, =1.1.2 and more Source cves: CVE-2018-8024 Source advisory: OSV:GHSA-8CW6-5QVP-Q3WJ...

GHSA-8CW6-5QVP-Q3WJ Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the...

ch.zzeekk.spark:spark-temporalquery_2.10 (=1.0.0), com.antgroup.tugraph:calcite-spark (>=1.18.0-geaflow_1.0 <=1.18.0-geaflow_1.1) +159 more potentially affected by CVE-2018-17190 via org.apache.spark:spark-core_2.10 (>=2.0.0-preview <=2.2.3)

org.apache.spark:spark-core2.10 MAVEN version =2.0.0-preview, =1.18.0-geaflow1.0, =0.1.0, =2.0.0, =0.8.2, =1.1.0, =2.0.0, =2.0.0, =2.0.0, =2.0.13 and more Source cves: CVE-2018-17190 Source advisory: OSV:GHSA-PHG2-9C5G-M4Q7...

com.datastax.spark:spark-cassandra-connector-demos_2.10 (>=1.0.0 <=1.0.6), com.datastax.spark:spark-cassandra-connector-java_2.10 (>=1.0.0 <=1.0.6) +23 more potentially affected by CVE-2018-17190 via org.apache.spark:spark-core_2.10 (>=0.9.0-incubating <=0.9.2)

org.apache.spark:spark-core2.10 MAVEN version =0.9.0-incubating, =1.0.0, =1.0.0, =1.0.0, =0.2.2, =0.2.2, =0.2.2, =0.9.0-C2-EA, =0.5.0, =0.9.0, =0.8.3, =0.9.0-incubating, =0.9.0-incubating, =0.9.2 and more Source cves: CVE-2018-17190 Source advisory: OSV:GHSA-PHG2-9C5G-M4Q7...

PYSEC-2018-25

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application...

PYSEC-2018-25

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application...

Openfire 3.6.4 - Multiple Cross-Site Scripting Vulnerabilities

source: https://www.securityfocus.com/bid/45682/info Openfire is prone to multiple cross-site-scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an...