org.apache.spark:spark-core_2.13 3.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.spark:spark-core_2.13 package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection Affected versions of this package are vulnerable to Command Injection due to the usage of `bash -c` in `ShellBasedGroupsMappingProvider`. A code path in `HttpSecurityFilter` can allow someone to perform impersonation by providing an arbitrary user name. This is only if `ACLs` are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it. Note: CVE-2023-32007 was subsequently released to flag that `v3.1.3` is vulnerable to CVE-2022-33891 How to fix Command Injection? Upgrade `org.apache.spark:spark-core_2.13` to version 3.2.2 or higher.	[0,3.2.2)
H Improper Privilege Management Affected versions of this package are vulnerable to Improper Privilege Management when applications using spark-submit can specify a `proxy-user` to run with limiting privileges., which allows the application to execute code with the privileges of the submitting user. Exploiting this vulnerability is possible by providing malicious configuration-related classes on the classpath. Note: This vulnerability affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications. How to fix Improper Privilege Management? Upgrade `org.apache.spark:spark-core_2.13` to version 3.3.3 or higher.	[,3.3.3)
H Command Injection Affected versions of this package are vulnerable to Command Injection due to the usage of `bash -c` in `ShellBasedGroupsMappingProvider`. A code path in `HttpSecurityFilter` can allow someone to perform impersonation by providing an arbitrary user name. This is only if `ACLs` are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. Note: CVE-2023-32007 was subsequently released to flag that `v3.1.3` is vulnerable to CVE-2022-33891. How to fix Command Injection? Upgrade `org.apache.spark:spark-core_2.13` to version 3.2.2 or higher.	[0,3.2.2)

Vulnerability

Vulnerable Version

Command Injection

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891

How to fix Command Injection?

Upgrade org.apache.spark:spark-core_2.13 to version 3.2.2 or higher.

[0,3.2.2)

Improper Privilege Management

Affected versions of this package are vulnerable to Improper Privilege Management when applications using spark-submit can specify a proxy-user to run with limiting privileges., which allows the application to execute code with the privileges of the submitting user. Exploiting this vulnerability is possible by providing malicious configuration-related classes on the classpath.

Note: This vulnerability affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications.

How to fix Improper Privilege Management?

Upgrade org.apache.spark:spark-core_2.13 to version 3.3.3 or higher.

[,3.3.3)

Command Injection

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891.

How to fix Command Injection?

Upgrade org.apache.spark:spark-core_2.13 to version 3.2.2 or higher.

[0,3.2.2)

org.apache.spark:spark-core_2.13@3.2.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?