Homepage
About Snyk

pyspark@2.4.2 vulnerabilities

Apache Spark Python API

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pyspark package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891

How to fix Command Injection?

Upgrade pyspark to version 3.2.2 or higher.

[0,3.2.2)
  • H
Command Injection

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891.

How to fix Command Injection?

Upgrade pyspark to version 3.2.2 or higher.

[0,3.2.2)
  • H
Arbitrary Command Execution

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Arbitrary Command Execution via the Utils.unpack method when the filename is controlled by a malicious user. This vulnerability exists due to Hadoop's unTar function, that doesn't properly escape the filename before passing it to a shell command.

How to fix Arbitrary Command Execution?

Upgrade pyspark to version 3.1.3, 3.2.2 or higher.

[,3.1.3) [3.2.0,3.2.2)
  • M
Information Exposure

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Information Exposure via a bespoke mutual authentication protocol that allows for full encryption key recovery. This would allow a malicious actor who has access to the machine to decrypt captured network traffic offline.

How to fix Information Exposure?

Upgrade pyspark to version 3.1.3 or higher.

[,3.1.3)
  • C
Remote Code Execution (RCE)

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

How to fix Remote Code Execution (RCE)?

Upgrade pyspark to version 2.4.6 or higher.

[,2.4.6)
Go back to all versions of this package