24 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue. • https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw • CWE-326: Inadequate Encryption Strength •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users. To view the warning in the docs please visit  https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html • https://github.com/apache/airflow/pull/33233 https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24 • CWE-502: Deserialization of Untrusted Data CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected. • http://www.openwall.com/lists/oss-security/2023/08/17/1 http://www.openwall.com/lists/oss-security/2023/08/18/1 https://lists.apache.org/thread/t03gktyzyor20rh06okd91jtqmw6k1l7 • CWE-20: Improper Input Validation •

CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. • http://www.openwall.com/lists/oss-security/2023/05/02/1 https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv https://spark.apache.org/security.html https://www.cve.org/CVERecord?id=CVE-2022-33891 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. • https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv • CWE-269: Improper Privilege Management •