CVE-2021-38296

CVE-2021-38296 affects Apache Spark where versions up to 3.1.2 use a bespoke mutual authentication protocol for end-to-end RPC encryption that can enable full encryption key recovery and offline decryption of plaintext traffic. The issue is limited to Spark’s key exchange/authentication path and ...

CVE-2022-31777

CVE-2022-31777 — Apache Spark XSS : A stored XSS in Spark 3.2.1 and earlier and 3.3.0 arises from improper validation in the log viewer. An attacker can lure a user to click a crafted URL to execute arbitrary JavaScript in the victim’s browser, potentially compromising cookies and session data. A...

CVE-2018-17190

CVE-2018-17190 affects Apache Spark’s standalone resource manager. A specially crafted request can cause the master to execute code on worker nodes, even though the master is not intended to run user code. This vulnerability is described as not affecting standalone clusters with authentication en...

CVE-2023-22946

CVE-2023-22946 affects Apache Spark prior to 3.4.0. An attacker can abuse a proxy-user configuration by placing malicious configuration classes on the classpath, enabling code execution with the privileges of the submitting user (e.g., in environments using Livy). The vulnerability arises when sp...

CVE-2025-54920

Affected software: Apache Spark History Server (Spark History Web UI). Vulnerability details: In Spark 3.5.4 and earlier (and other versions affected before 3.5.7 and 4.0.1), the History Server deserializes event log data using Jackson with polymorphic types, allowing an attacker with write acces...

CVE-2025-55039

CVE-2025-55039 affects Apache Spark prior to 3.4.4, 3.5.2 and 4.0.0. When spark.network.crypto.enabled is true (default false) and spark.network.crypto.cipher is not configured, Spark uses AES/CTR/NoPadding for RPC traffic, enabling encryption without authentication. A MITM could flip bits in cip...