CPE-0C346DBF-EDC5-4439-8D34-5C34C8A4824A Detail

CPE Details

Apache Software Foundation Spark 3.1.0 Release Candidate 1

Vendor

apache

Product

spark

Version

3.1.0

Created

2021-12-02
17h17 +00:00

Modified

2021-12-02
17h21 +00:00

Official links

CPE NVD

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Notifications manage

List of Notifications

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

CPE ID

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CPE Name: cpe:2.3:a:apache:spark:3.1.0:rc1::::::

Informations

Vendor

apache

Product

spark

Version

3.1.0

Update

rc1

Related CVE

Open and find in CVE List

CVE ID	Published	Description	Score	Severity
CVE-2023-22946	2023-04-17 07h30 +00:00	In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.	9.9	Critical
CVE-2022-31777	2022-10-31 23h00 +00:00	A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.	5.4	Medium
CVE-2021-38296	2022-03-10 07h20 +00:00	Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later	7.5	High
CVE-2018-17190	2018-11-19 13h00 +00:00	In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.	9.8	Critical

Apache Software Foundation Spark 3.1.0 Release Candidate 1

CPE Details

CPE Name: cpe:2.3:a:apache:spark:3.1.0:rc1:*:*:*:*:*:*

Informations

Vendor

Product

Version

Update

Related CVE

CPE Name: cpe:2.3:a:apache:spark:3.1.0:rc1::::::