Vulnerabilities > Apache > Spark > 2.1.1

DATE CVE VULNERABILITY TITLE RISK
2018-07-12 CVE-2018-8024 Information Exposure vulnerability in multiple products
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI.
network
low complexity
apache mozilla CWE-200
5.4
5.4
2018-07-12 CVE-2018-1334 Information Exposure vulnerability in Apache Spark
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
local
high complexity
apache CWE-200
4.7
4.7
2017-09-13 CVE-2017-12612 Deserialization of Untrusted Data vulnerability in Apache Spark
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket.
local
low complexity
apache CWE-502
7.2
7.2
2017-07-12 CVE-2017-7678 Cross-site Scripting vulnerability in Apache Spark
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server.
network
apache CWE-79
4.3
4.3