spark · threatengine.sh

CVE-2025-54920

< 3.5.7

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, whi

8.8HIGH

CVE-2025-55039

< 3.4.4

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 u

6.5MEDIUM

CVE-2025-3518

>= 7.0.1 and < 7.54.1

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The f

4.3MEDIUM

CVE-2024-23945

>= 2.0.0 and < 3.3.4

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and int

5.9MEDIUM

CVE-2023-32007

<= 3.0.3

UNSUPPORTED WHEN ASSIGNED The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.

8.8HIGH

CVE-2023-22946

< 3.4.0

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges

6.4MEDIUM

CVE-2022-31777

< 3.2.2

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute

5.4MEDIUM

CVE-2022-33891

<= 3.0.3

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication f

8.8HIGH

CVE-2021-38296

< 3.1.3

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In ver

7.5HIGH

CVE-2021-32054

<= 1.5.4

Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be

6.1MEDIUM

CVE-2020-27223

all versions

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multi

5.2MEDIUM

CVE-2020-27218

all versions

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP

4.8MEDIUM

CVE-2020-9480

<= 2.4.5

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authe

9.8CRITICAL

CVE-2020-12772

all versions

An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG

8.8HIGH

CVE-2019-12370

<= 2.0.2

The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute,

6.1MEDIUM

CVE-2019-20445

all versions

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header,

9.1CRITICAL

CVE-2019-10172

all versions

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-

7.5HIGH

CVE-2019-10099

>= 1.0.2 and <= 1.6.3

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.ena

7.5HIGH

CVE-2018-11760

>= 1.0.2 and <= 1.6.3

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running

5.5MEDIUM

CVE-2018-17190

all versions

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that c

9.8CRITICAL

CVE-2018-11804

>= 1.3.0 and < 2.2.3

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up com

7.5HIGH

CVE-2018-11770

>= 1.3.0 and < 2.4.0

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission m

4.2MEDIUM

CVE-2018-8024

>= 2.1.0 and <= 2.1.2

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spa

5.4MEDIUM

CVE-2018-1334

<= 2.1.2

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user

4.7MEDIUM

CVE-2018-9159

< 2.7.2

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative path

5.3MEDIUM

CVE-2017-12269

all versions

A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored

5.4MEDIUM

CVE-2017-12612

all versions

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes app

7.8HIGH

CVE-2017-7678

<= 2.1.1

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into

6.1MEDIUM

CVE-2016-9177

<= 2.5

Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.

7.5HIGH

CVE-2016-1324

all versions

The REST interface in Cisco Spark 2015-06 allows remote attackers to cause a denial of service (resource outage) by accessing an a

5.3MEDIUM

CVE-2016-1323

all versions

The REST interface in Cisco Spark 2015-06 allows remote authenticated users to obtain sensitive information via a request for an u

4.3MEDIUM

CVE-2016-1322

all versions

The REST interface in Cisco Spark 2015-07-04 allows remote attackers to bypass intended access restrictions and create arbitrary u

7.5HIGH

CVE-2015-6303

all versions

The Cisco Spark application 2015-07-04 for mobile operating systems does not properly verify X.509 certificates from SSL servers,

apache spark