Vulnerabilities > Apache > Spark
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-07 | CVE-2019-10099 | Cleartext Storage of Sensitive Information vulnerability in Apache Spark Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. | 7.5 |
| 2019-02-04 | CVE-2018-11760 | Unspecified vulnerability in Apache Spark When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | 5.5 |
| 2018-11-19 | CVE-2018-17190 | Unspecified vulnerability in Apache Spark In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. | 9.8 |
| 2018-10-24 | CVE-2018-11804 | Unspecified vulnerability in Apache Spark Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. | 7.5 |
| 2018-08-13 | CVE-2018-11770 | Improper Authentication vulnerability in Apache Spark From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. | 4.2 |
| 2018-07-12 | CVE-2018-8024 | Information Exposure vulnerability in multiple products In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. | 5.4 |
| 2018-07-12 | CVE-2018-1334 | Information Exposure vulnerability in Apache Spark In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | 4.7 |
| 2017-09-13 | CVE-2017-12612 | Deserialization of Untrusted Data vulnerability in Apache Spark In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. | 7.8 |
| 2017-07-12 | CVE-2017-7678 | Cross-site Scripting vulnerability in Apache Spark In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. | 6.1 |