org.apache.spark:spark-core_2.10
Maven8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.spark:spark-core_2.10page 1 of 1
- CVE-2017-12612HIGHCVSS 7.8EG 7.8✓ Fixed in 2.1.22017-09-13
vulnerable: 0.9.0-incubating ... 2.1.1 (28 versions)
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution…
- CVE-2017-7678MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.2.02017-07-12
vulnerable: 0.9.0-incubating ... 2.1.3 (30 versions)
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, o…
- CVE-2018-11770MEDIUMCVSS 4.22018-08-13
vulnerable: 1.0.0 ... 2.2.2 (30 versions)
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a s…
- CVE-2018-11804HIGHCVSS 7.52018-10-24
vulnerable: 1.3.0 ... 2.1.3 (19 versions)
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will …
- CVE-2018-1334MEDIUMCVSS 4.7✓ Fixed in 2.2.22018-07-12
vulnerable: 2.2.0, 2.2.1
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
- CVE-2018-17190CRITICALCVSS 9.82018-11-19
vulnerable: 0.9.0-incubating ... 2.2.3 (34 versions)
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request …
- CVE-2018-8024MEDIUMCVSS 5.4✓ Fixed in 2.2.22018-07-12
vulnerable: 2.2.0, 2.2.1
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used …
- CVE-2022-31777MEDIUMCVSS 5.4EG 5.42022-11-01
vulnerable: 0.9.0-incubating ... 2.2.3 (34 versions)
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which woul…
Check whether org.apache.spark:spark-core_2.10 is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.spark:spark-core_2.10 CVEs against the assets you own.
Start Free Scan →