Vulnerabilities > Apache > Spark > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-01 | CVE-2022-31777 | Injection vulnerability in Apache Spark A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | 5.4 |
| 2021-02-26 | CVE-2020-27223 | Resource Exhaustion vulnerability in multiple products In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. | 5.3 |
| 2020-11-28 | CVE-2020-27218 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. | 4.8 |
| 2019-02-04 | CVE-2018-11760 | Unspecified vulnerability in Apache Spark When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | 5.5 |
| 2018-08-13 | CVE-2018-11770 | Improper Authentication vulnerability in Apache Spark From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. | 4.2 |
| 2018-07-12 | CVE-2018-8024 | Information Exposure vulnerability in multiple products In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. | 5.4 |
| 2018-07-12 | CVE-2018-1334 | Information Exposure vulnerability in Apache Spark In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | 4.7 |
| 2017-07-12 | CVE-2017-7678 | Cross-site Scripting vulnerability in Apache Spark In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. | 6.1 |