22 matches found
CVE-2024-23945
CVE-2024-23945 → CookieSigner exposes the correct cookie signature to end users when a signature mismatch occurs. Affected: Hive service component and Spark Hive-ThriftServer (versions tied to HIVE-9710 1.2.0 and SPARK-14987 2.0.0). Root cause: flawed CookieSigner logic allows exposure of the sig...
CVE-2022-33891
Summary: CVE-2022-33891 is a command-injection vulnerability in the Apache Spark UI when ACLs are enabled. A code path in HttpSecurityFilter can impersonate by supplying an arbitrary username, leading to an arbitrary shell command being executed as the Spark process user. Affected versions includ...
CVE-2019-10172
CVE-2019-10172 describes an XML External Entity (XXE) vulnerability in org.codehaus.jackson:jackson-mapper-asl:1.9.x (Codehaus Jackson). Connected sources confirm the flaw affecting jackson-mapper-asl libraries and note that CVE-2016-3720 affects related code, in different classes. Public advisor...
CVE-2020-27218
CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...
CVE-2020-27223
CVE-2020-27223 affects Eclipse Jetty 9.4.6.v20170531–9.4.36.v20210114, 10.0.0, and 11.0.0, where handling requests with multiple Accept headers and many quality (q) values can cause high CPU usage and a DoS. Public sources consistently describe CPU exhaustion as the impact. Remediation is to upgr...
CVE-2019-20445
CVE-2019-20445 affects Netty’s HttpObjectDecoder: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header, enabling HTTP request parsing ambiguities. This can enable request-smuggling-like s...
CVE-2018-8024
Apache Spark UI cross-site scripting (CVE-2018-8024) affects Spark UI before 2.3.2, including 2.1.0–2.1.2, 2.2.0–2.2.1, and 2.3.0. A malicious user can craft a URL to the Spark UI’s /jobs/ endpoint; if a user visits the URL, JavaScript can execute in the victim’s browser within the Spark UI conte...
CVE-2023-32007
CVE-2023-32007 describes a command injection in the Apache Spark UI when ACLs are enabled via spark.acls.enable. A path in HttpSecurityFilter could allow impersonation by supplying an arbitrary username, enabling a permission check to build and execute a Unix shell command as the Spark process us...
CVE-2020-9480
The CVE-2020-9480 issue affects Apache Spark 2.4.5 and earlier, where a standalone resource manager master configured with spark.authenticate can still be exploited by a crafted RPC to start applications’ resources and run arbitrary shell commands on the host. The vulnerability arises when authen...
CVE-2021-38296
CVE-2021-38296 affects Apache Spark where versions up to 3.1.2 use a bespoke mutual authentication protocol for end-to-end RPC encryption that can enable full encryption key recovery and offline decryption of plaintext traffic. The issue is limited to Spark’s key exchange/authentication path and ...
CVE-2022-31777
CVE-2022-31777 — Apache Spark XSS : A stored XSS in Spark 3.2.1 and earlier and 3.3.0 arises from improper validation in the log viewer. An attacker can lure a user to click a crafted URL to execute arbitrary JavaScript in the victim’s browser, potentially compromising cookies and session data. A...
CVE-2018-17190
CVE-2018-17190 affects Apache Spark’s standalone resource manager. A specially crafted request can cause the master to execute code on worker nodes, even though the master is not intended to run user code. This vulnerability is described as not affecting standalone clusters with authentication en...
CVE-2018-11770
CVE-2018-11770 affects Apache Spark 1.3.0+ where the standalone master exposes a REST API for job submission that bypasses the configured spark.authenticate.secret. The REST API does not require authentication and, per multiple sources, could allow a user to run a driver program without authentic...
CVE-2023-22946
CVE-2023-22946 affects Apache Spark prior to 3.4.0. An attacker can abuse a proxy-user configuration by placing malicious configuration classes on the classpath, enabling code execution with the privileges of the submitting user (e.g., in environments using Livy). The vulnerability arises when sp...
CVE-2019-10099
CVE-2019-10099 affects Apache Spark deployments running versions prior to 2.3.3. In certain scenarios, Spark could write user data to local disk unencrypted despite spark.io.encryption.enabled=true. The issue encompasses cached blocks written to disk (controlled by spark.maxRemoteBlockSizeFetchTo...
CVE-2017-7678
CVE-2017-7678 affects Apache Spark up to version 2.2.0, where the web UI may reflect user-supplied data (including MHTML) back to the user. The root cause is improper validation of input by the Spark web UI, allowing an attacker to lure a user into a link pointing to a shared Spark cluster and tr...
CVE-2018-11760
CVE-2018-11760 describes a PySpark-related local privilege issue in Apache Spark: a local authenticated user can connect to a running Spark application and impersonate the user running it. Affected Spark versions include 1.x, 2.0.x, 2.1.x, 2.2.0–2.2.2, and 2.3.0–2.3.1. IBM and related advisories ...
CVE-2018-1334
Apache Spark up to version 2.3.0 (affected: 1.0.0–2.1.2, 2.2.0–2.2.1, 2.3.0) is vulnerable to an impersonation flaw when using PySpark or SparkR that lets a different local user connect to a Spark application and impersonate the Spark user. The issue is confirmed across multiple sources (e.g., SU...
CVE-2018-11804
CVE-2018-11804 – Information disclosure in Spark Maven build zinc server : The vulnerability stems from a zinc server started by the Maven-based Spark build (build/mvn) which, by default, accepts connections from external hosts. A specially crafted request to the zinc server can cause it to revea...
CVE-2017-12612
CVE-2017-12612 affects Apache Spark 1.6.0 through 2.1.1. The root cause is unsafe deserialization in the launcher API over the socket, allowing code execution by an attacker with access to the local user account running the Spark application. The vulnerability does not apply to apps started via s...
CVE-2025-54920
Affected software: Apache Spark History Server (Spark History Web UI). Vulnerability details: In Spark 3.5.4 and earlier (and other versions affected before 3.5.7 and 4.0.1), the History Server deserializes event log data using Jackson with polymorphic types, allowing an attacker with write acces...
CVE-2025-55039
CVE-2025-55039 affects Apache Spark prior to 3.4.4, 3.5.2 and 4.0.0. When spark.network.crypto.enabled is true (default false) and spark.network.crypto.cipher is not configured, Spark uses AES/CTR/NoPadding for RPC traffic, enabling encryption without authentication. A MITM could flip bits in cip...