pyspark
PyPI11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting pysparkpage 1 of 1
- CVE-2017-12612HIGHCVSS 7.8EG 7.8✓ Fixed in 2.1.22017-09-13
vulnerable: 2.1.1
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution…
- CVE-2018-11760MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.2.32019-02-04
vulnerable: 2.1.1 ... 2.3.1 (8 versions)
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
- CVE-2018-1334MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.1.32018-07-12
vulnerable: 2.1.1, 2.1.2, 2.2.0, 2.2.1
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
- CVE-2019-10099HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.32019-08-07
vulnerable: 2.1.1 ... 2.3.2 (10 versions)
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchT…
- CVE-2020-9480CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.4.62020-06-23
vulnerable: 2.1.1 ... 2.4.5 (18 versions)
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in sta…
- CVE-2021-38296HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.32022-03-10
vulnerable: 2.1.1 ... 3.1.2 (27 versions)
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key…
- CVE-2022-31777MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.2.22022-11-01
vulnerable: 2.1.1 ... 3.2.1 (30 versions)
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which woul…
- CVE-2022-33891HIGHCVSS 8.8EG 9.0⚠ KEV✓ Fixed in 3.1.32022-07-18
vulnerable: 2.1.1 ... 3.2.1 (29 versions)
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabl…
- CVE-2023-22946MEDIUMCVSS 6.4EG 6.4✓ Fixed in 3.4.02023-04-17
vulnerable: 2.1.1 ... 3.3.4 (38 versions)
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing maliciou…
- CVE-2023-32007HIGHCVSS 8.8EG 9.0✓ Fixed in 3.2.02023-05-02
vulnerable: 2.1.1 ... 3.1.3 (28 versions)
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify th…
- CVE-2025-55039MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.5.22025-10-15
vulnerable: 2.1.1 ... 3.5.1 (44 versions)
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.cry…
Check whether pyspark is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pyspark CVEs against the assets you own.
Start Free Scan →