pyspark@2.1.2 vulnerabilities

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891

Upgrade pyspark to version 3.2.2 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891.

Upgrade pyspark to version 3.2.2 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Arbitrary Command Execution via the Utils.unpack method when the filename is controlled by a malicious user. This vulnerability exists due to Hadoop's unTar function, that doesn't properly escape the filename before passing it to a shell command.

Upgrade pyspark to version 3.1.3, 3.2.2 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Information Exposure via a bespoke mutual authentication protocol that allows for full encryption key recovery. This would allow a malicious actor who has access to the machine to decrypt captured network traffic offline.

Upgrade pyspark to version 3.1.3 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

Upgrade pyspark to version 2.4.6 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Information Exposure. In certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Upgrade pyspark to version 2.3.3 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to User Impersonation. It is possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Upgrade pyspark to version 2.2.3, 2.3.2 or higher.

Apache Spark is a general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. It is possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI.

Upgrade org.apache.spark:spark-core to version 2.1.3, 2.2.2, 2.3.1 or higher.

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Privilege Escalation. When using PySpark or SparkR, it was possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Upgrade pyspark to version 2.1.3, 2.2.2, 2.3.1 or higher.

org.apache.spark:spark-core_2.10 is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks.

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

Upgrade org.apache.spark:spark-core_2.10 to version 2.2.0 or higher.

org.apache.spark:spark-core is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks.

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

Upgrade org.apache.spark:spark-core to version 2.2.0 or higher.

org.apache.spark:spark-core_2.11 is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks.

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

Upgrade org.apache.spark:spark-core_2.11 to version 2.2.0 or higher.