org.apache.spark:spark-core_2.12@3.0.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.spark:spark-core_2.12 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891

How to fix Command Injection?

Upgrade org.apache.spark:spark-core_2.12 to version 3.2.2 or higher.

[0,3.2.2)
  • H
Improper Privilege Management

org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.

Affected versions of this package are vulnerable to Improper Privilege Management when applications using spark-submit can specify a proxy-user to run with limiting privileges., which allows the application to execute code with the privileges of the submitting user. Exploiting this vulnerability is possible by providing malicious configuration-related classes on the classpath.

Note: This vulnerability affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications.

How to fix Improper Privilege Management?

Upgrade org.apache.spark:spark-core_2.12 to version 3.3.3 or higher.

[,3.3.3)
  • M
Cross-site Scripting (XSS)

org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the loadMore() and loadNew() functions in log-view.js, due to unsanitized rendering of logs in the UI.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.spark:spark-core_2.12 to version 3.2.2, 3.3.1 or higher.

[,3.2.2) [3.3.0,3.3.1)
  • H
Command Injection

org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891.

How to fix Command Injection?

Upgrade org.apache.spark:spark-core_2.12 to version 3.2.2 or higher.

[0,3.2.2)
  • H
Arbitrary Command Execution

org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.

Affected versions of this package are vulnerable to Arbitrary Command Execution via the Utils.unpack method when the filename is controlled by a malicious user. This vulnerability exists due to Hadoop's unTar function, that doesn't properly escape the filename before passing it to a shell command.

How to fix Arbitrary Command Execution?

Upgrade org.apache.spark:spark-core_2.12 to version 3.1.3, 3.2.2 or higher.

[,3.1.3) [3.2.0,3.2.2)