4 matches found
CVE-2018-8024
Apache Spark UI cross-site scripting (CVE-2018-8024) affects Spark UI before 2.3.2, including 2.1.0–2.1.2, 2.2.0–2.2.1, and 2.3.0. A malicious user can craft a URL to the Spark UI’s /jobs/ endpoint; if a user visits the URL, JavaScript can execute in the victim’s browser within the Spark UI conte...
CVE-2019-10099
CVE-2019-10099 affects Apache Spark deployments running versions prior to 2.3.3. In certain scenarios, Spark could write user data to local disk unencrypted despite spark.io.encryption.enabled=true. The issue encompasses cached blocks written to disk (controlled by spark.maxRemoteBlockSizeFetchTo...
CVE-2018-11760
CVE-2018-11760 describes a PySpark-related local privilege issue in Apache Spark: a local authenticated user can connect to a running Spark application and impersonate the user running it. Affected Spark versions include 1.x, 2.0.x, 2.1.x, 2.2.0–2.2.2, and 2.3.0–2.3.1. IBM and related advisories ...
CVE-2018-1334
Apache Spark up to version 2.3.0 (affected: 1.0.0–2.1.2, 2.2.0–2.2.1, 2.3.0) is vulnerable to an impersonation flaw when using PySpark or SparkR that lets a different local user connect to a Spark application and impersonate the Spark user. The issue is confirmed across multiple sources (e.g., SU...