pyspark@3.1.3 vulnerabilities

Apache Spark Python API

latest version

3.5.1
latest non vulnerable version

3.5.1
first published

7 years ago
latest version published

3 months ago
licenses detected
- Apache-2.0
  [0,)
View pyspark package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pyspark package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Command Injection pyspark is a fast and general cluster computing system for Big Data. Affected versions of this package are vulnerable to Command Injection due to the usage of `bash -c` in `ShellBasedGroupsMappingProvider`. A code path in `HttpSecurityFilter` can allow someone to perform impersonation by providing an arbitrary user name. This is only if `ACLs` are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it. Note: CVE-2023-32007 was subsequently released to flag that `v3.1.3` is vulnerable to CVE-2022-33891 How to fix Command Injection? Upgrade `pyspark` to version 3.2.2 or higher.	[0,3.2.2)
H Command Injection pyspark is a fast and general cluster computing system for Big Data. Affected versions of this package are vulnerable to Command Injection due to the usage of `bash -c` in `ShellBasedGroupsMappingProvider`. A code path in `HttpSecurityFilter` can allow someone to perform impersonation by providing an arbitrary user name. This is only if `ACLs` are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. Note: CVE-2023-32007 was subsequently released to flag that `v3.1.3` is vulnerable to CVE-2022-33891. How to fix Command Injection? Upgrade `pyspark` to version 3.2.2 or higher.	[0,3.2.2)

Command Injection

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to Command Injection due to the usage of bash -c in ShellBasedGroupsMappingProvider. A code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This is only if ACLs are enabled. It allows a malicious user to reach a permission check function that will ultimately build a Unix shell command based on their input and execute it.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891

How to fix Command Injection?

Upgrade pyspark to version 3.2.2 or higher.

[0,3.2.2)

Command Injection

pyspark is a fast and general cluster computing system for Big Data.

Note: CVE-2023-32007 was subsequently released to flag that v3.1.3 is vulnerable to CVE-2022-33891.

How to fix Command Injection?

Upgrade pyspark to version 3.2.2 or higher.

[0,3.2.2)

Go back to all versions of this package

pyspark@3.1.3 vulnerabilities

Apache Spark Python API

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities