Vulnerabilities > Apache > Spark > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-11-01 CVE-2022-31777 Unspecified vulnerability in Apache Spark
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
network
low complexity
apache
5.4
2021-02-26 CVE-2020-27223 Resource Exhaustion vulnerability in multiple products
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e.
network
low complexity
eclipse apache netapp debian oracle CWE-400
5.3
2020-11-28 CVE-2020-27218 In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body.
network
high complexity
eclipse netapp oracle apache debian
4.8
2019-02-04 CVE-2018-11760 Unspecified vulnerability in Apache Spark
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
local
low complexity
apache
5.5
2018-08-13 CVE-2018-11770 Improper Authentication vulnerability in Apache Spark
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit.
network
high complexity
apache CWE-287
4.2
2018-07-12 CVE-2018-8024 Information Exposure vulnerability in multiple products
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI.
network
low complexity
apache mozilla CWE-200
5.4
2018-07-12 CVE-2018-1334 Information Exposure vulnerability in Apache Spark
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
local
high complexity
apache CWE-200
4.7
2017-07-12 CVE-2017-7678 Cross-site Scripting vulnerability in Apache Spark
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server.
network
low complexity
apache CWE-79
6.1