CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2017-12612
https://notcve.org/view.php?id=CVE-2017-12612
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. • http://www.securityfocus.com/bid/100823 https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7678
https://notcve.org/view.php?id=CVE-2017-7678
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. En Spark anterior a versión 2.2.0 de Apache, es posible que un atacante tome ventaja de la confianza de un usuario en el servidor para engañarlo y que visite un enlace que apunte a un clúster Spark compartido y envíe datos incluyendo MHTML al master Spark , o un historial del servidor. Esta información, que podría contener un script, se reflejaría de vuelta hacia al usuario y podría ser evaluada y ejecutada por los clientes basados en MS Windows. • http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html http://www.securityfocus.com/bid/99603 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9177 – Spark: Directory traversal vulnerability in version 2.5
https://notcve.org/view.php?id=CVE-2016-9177
Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. Vulnerabilidad de salto de directorio en Spark 2.5 permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en la URI. A path traversal issue was found in Spark version 2.5 and potentially earlier versions. • http://seclists.org/fulldisclosure/2016/Nov/13 http://www.securityfocus.com/bid/94218 https://access.redhat.com/errata/RHSA-2017:0868 https://github.com/perwendel/spark/issues/700 https://access.redhat.com/security/cve/CVE-2016-9177 https://bugzilla.redhat.com/show_bug.cgi?id=1393607 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •