CVSS: 9.0EPSS: 91%CPEs: 3EXPL: 0CVE-2023-32007 – Apache Spark: Shell command injection via Spark UI
https://notcve.org/view.php?id=CVE-2023-32007
02 May 2023 — The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute ... • http://www.openwall.com/lists/oss-security/2023/05/02/1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22946 – Apache Spark proxy-user privilege escalation from malicious configuration class
https://notcve.org/view.php?id=CVE-2023-22946
17 Apr 2023 — In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClu... • https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31777 – Apache Spark XSS vulnerability in log viewer UI Javascript
https://notcve.org/view.php?id=CVE-2022-31777
01 Nov 2022 — A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Apache Spark 3.2.1 y anteriores, y 3.3.0, permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador web de un usuario, al incluir un payload malicioso ... • http://www.openwall.com/lists/oss-security/2022/11/01/14 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 94%CPEs: 3EXPL: 16CVE-2022-33891 – Apache Spark Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-33891
18 Jul 2022 — The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute ... • https://packetstorm.news/files/id/168309 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-38296 – Apache Spark Key Negotiation Vulnerability
https://notcve.org/view.php?id=CVE-2021-38296
10 Mar 2022 — Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.... • https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32054
https://notcve.org/view.php?id=CVE-2021-32054
14 May 2021 — Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser. Firely/Incendi Spark versiones anteriores a 1.5.5-r4, carece de encabezados Content-Disposition en determinadas situaciones, lo que puede causar a unos archivos diseñados ser enviados a clientes de manera que son procesados directamente en el navegador web de la víctima • https://github.com/FirelyTeam/spark/commit/9c79320059f92d8aa4fbd6cc4fa8f9d5d6ba9941 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 9.8EPSS: 81%CPEs: 2EXPL: 1CVE-2020-9480
https://notcve.org/view.php?id=CVE-2020-9480
23 Jun 2020 — In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). En Apache Spark versión 2.4.5 y ve... • https://github.com/XiaoShaYu617/CVE-2020-9480 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12370
https://notcve.org/view.php?id=CVE-2019-12370
18 Mar 2020 — The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. La aplicación Spark versiones hasta 2.0.2 para Android, permite un ataque de tipo XSS por medio de un atributo de evento y una carga de archivos arbitraria mediante un atributo src, si la aplicación presenta el permiso READ_EXTERNAL_STORAGE. • https://gubello.me • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-10099
https://notcve.org/view.php?id=CVE-2019-10099
07 Aug 2019 — Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. Spark anterior a versión 2.3.3, en ciertas situaciones, Spark escribiría los datos de usuario en el disco local sin cifrar, incluso si spark.io.encryption.enabled=true... • https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-11760
https://notcve.org/view.php?id=CVE-2018-11760
04 Feb 2019 — When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. Al utilizar PySpark, es posible que un usuario local diferente se conecte a la aplicación de Spark y suplante al usuario que ejecuta la aplicación de Spark. Afecta a las versiones 1.x, 2.0.x, 2.1.x, 2.2.0 a 2.2.2 y desde la 2.3.0 hasta la 2.3.1. • http://www.securityfocus.com/bid/106786 •