apache-airflow-providers-apache-spark@2.0.3rc1 vulnerabilities

Provider package apache-airflow-providers-apache-spark for Apache Airflow

Direct Vulnerabilities

Known vulnerabilities in the apache-airflow-providers-apache-spark package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • H
Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when it is installed on an Airflow deployment, an authorized user can execute arbitrary code on the Airflow node by directing it to a malicious Spark server. This is only exploitable if the user has the authorization to configure Spark hooks.

Note: Administrators are advised to review their configurations to ensure that the authorization to configure Spark hooks is only granted to fully trusted users.

How to fix Deserialization of Untrusted Data?

Upgrade apache-airflow-providers-apache-spark to version 4.1.3 or higher.

[,4.1.3)
  • H
Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation. A vulnerability allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server.

How to fix Improper Input Validation?

Upgrade apache-airflow-providers-apache-spark to version 4.1.3 or higher.

[,4.1.3)
  • H
Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation because the host and schema of JDBC Hook can contain / and ? which is used to denote the end of the field.

How to fix Improper Input Validation?

Upgrade apache-airflow-providers-apache-spark to version 4.0.1 or higher.

[,4.0.1)
  • M
OS Command Injection

Affected versions of this package are vulnerable to OS Command Injection which allows an attacker to read arbitrary files in the task execution context, without write access to DAG files.

How to fix OS Command Injection?

Upgrade apache-airflow-providers-apache-spark to version 4.0.0 or higher.

[,4.0.0)