Apache Software Foundation Spark 3.3.0

CPE Details

Apache Software Foundation Spark 3.3.0
3.3.0
2022-11-01
16h49 +00:00
2022-11-04
13h36 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:apache:spark:3.3.0:*:*:*:*:*:*:*

Informations

Vendor

apache

Product

spark

Version

3.3.0

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2023-22946 2023-04-17 07h30 +00:00 In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
9.9
Critical
CVE-2022-31777 2022-10-31 23h00 +00:00 A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
5.4
Medium
CVE-2018-17190 2018-11-19 13h00 +00:00 In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
9.8
Critical