The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Improper Privilege Management vulnerabilities in an interactive lesson.
Start learningUpgrade org.apache.spark:spark-core_2.12
to version 3.3.3 or higher.
org.apache.spark:spark-core_2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools including Spark SQL for SQL and DataFrames, pandas API on Spark for pandas workloads, MLlib for machine learning, GraphX for graph processing, and Structured Streaming for stream processing.
Affected versions of this package are vulnerable to Improper Privilege Management when applications using spark-submit can specify a proxy-user
to run with limiting privileges., which allows the application to execute code with the privileges of the submitting user. Exploiting this vulnerability is possible by providing malicious configuration-related classes on the classpath.
Note: This vulnerability affects architectures relying on proxy-user, for example, those using Apache Livy to manage submitted applications.
After upgrading to the fixed version - ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode
is set to its default of "false" and is not overridden by submitted applications.