org.apache.spark:spark-core_2.12@3.3.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.spark:spark-core_2.12 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Privilege Management

org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.

Affected versions of this package are vulnerable to Improper Privilege Management when applications using spark-submit can specify a proxy-user to run with limiting privileges., which allows the application to execute code with the privileges of the submitting user. Exploiting this vulnerability is possible by providing malicious configuration-related classes on the classpath.

Note: This vulnerability affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications.

How to fix Improper Privilege Management?

Upgrade org.apache.spark:spark-core_2.12 to version 3.3.3 or higher.

[,3.3.3)