Skip to main content

Spark

26 CVEs product

Monthly

CVE-2025-3518 MEDIUM This Month

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Spark
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-23945 Maven MEDIUM POC PATCH This Month

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Information Disclosure Hive Spark
NVD GitHub
CVSS 3.1
5.9
EPSS
1.5%
CVE-2023-32007 LIB HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Spark
NVD
CVSS 3.1
8.8
EPSS
75.8%
CVE-2023-22946 LIB CRITICAL PATCH Act Now

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Spark
NVD
CVSS 3.1
9.9
EPSS
1.1%
CVE-2022-31777 LIB MEDIUM PATCH This Month

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Spark
NVD
CVSS 3.1
5.4
EPSS
1.5%
CVE-2022-33891 LIB HIGH POC KEV PATCH THREAT Act Now

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Spark
NVD
CVSS 3.1
8.8
EPSS
93.0%
CVE-2021-32054 MEDIUM PATCH This Month

Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Spark
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-27218 Maven MEDIUM PATCH This Month

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Code Injection Jetty Oncommand System Manager Snap Creator Framework Blockchain Platform +13
NVD GitHub
CVSS 3.1
4.8
EPSS
8.1%
CVE-2020-9480 LIB CRITICAL POC PATCH THREAT Act Now

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Apache Authentication Bypass Spark Business Intelligence
NVD
CVSS 3.1
9.8
EPSS
29.2%
CVE-2020-12772 HIGH POC This Week

An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Spark
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2019-10172 Maven HIGH This Week

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jackson Mapper Asl Jboss Enterprise Application Platform Jboss Fuse Debian Linux +1
NVD
CVSS 3.1
7.5
EPSS
17.0%
CVE-2019-10099 LIB HIGH PATCH This Week

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Spark
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2018-17190 Maven CRITICAL Act Now

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Spark
NVD
CVSS 3.0
9.8
EPSS
8.7%
CVE-2018-11804 Maven HIGH This Week

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Spark
NVD
CVSS 3.1
7.5
EPSS
5.7%
CVE-2018-11770 Maven MEDIUM POC THREAT This Month

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Spark
NVD
CVSS 3.1
4.2
EPSS
65.8%
CVE-2018-8024 Maven MEDIUM POC PATCH This Month

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Apache Apple +2
NVD
CVSS 3.0
5.4
EPSS
5.0%
CVE-2018-1334 LIB MEDIUM PATCH This Month

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running. Rated medium severity (CVSS 4.7). No vendor patch available.

Apache Information Disclosure Spark
NVD
CVSS 3.0
4.7
EPSS
0.5%
CVE-2018-9159 Maven MEDIUM PATCH This Month

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Spark
NVD GitHub
CVSS 3.0
5.3
EPSS
4.6%
CVE-2017-12269 MEDIUM This Month

A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Cisco Spark
NVD
CVSS 3.0
5.4
EPSS
0.4%
CVE-2017-12612 LIB HIGH PATCH This Week

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache RCE Spark
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2017-7678 Maven MEDIUM PATCH This Month

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Microsoft Apache Spark
NVD
CVSS 3.0
6.1
EPSS
1.4%
CVE-2016-9177 Maven HIGH POC PATCH This Week

Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Spark
NVD GitHub
CVSS 3.0
7.5
EPSS
5.5%
CVE-2016-1324 MEDIUM This Month

The REST interface in Cisco Spark 2015-06 allows remote attackers to cause a denial of service (resource outage) by accessing an administrative page, aka Bug ID CSCuv84125. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Privilege Escalation Denial Of Service Spark
NVD
CVSS 3.0
5.3
EPSS
0.5%
CVE-2016-1323 MEDIUM This Month

The REST interface in Cisco Spark 2015-06 allows remote authenticated users to obtain sensitive information via a request for an unspecified file, aka Bug ID CSCuv84048. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Information Disclosure Spark
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2016-1322 HIGH This Week

The REST interface in Cisco Spark 2015-07-04 allows remote attackers to bypass intended access restrictions and create arbitrary user accounts via unspecified web requests, aka Bug ID CSCuv72584. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Privilege Escalation Spark
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2015-6303 MEDIUM This Month

The Cisco Spark application 2015-07-04 for mobile operating systems does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Cisco Information Disclosure Spark
NVD
CVSS 2.0
4.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM This Month

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Spark
NVD
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Information Disclosure Hive +1
NVD GitHub
EPSS 76% CVSS 8.8
HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Spark
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Spark
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Spark
NVD
EPSS 93% CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Spark
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Spark
NVD GitHub
EPSS 8% CVSS 4.8
MEDIUM PATCH This Month

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Code Injection Jetty Oncommand System Manager +15
NVD GitHub
EPSS 29% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Apache Authentication Bypass Spark +1
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Spark
NVD GitHub
EPSS 17% CVSS 7.5
HIGH This Week

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jackson Mapper Asl Jboss Enterprise Application Platform +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Spark
NVD
EPSS 9% CVSS 9.8
CRITICAL Act Now

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Spark
NVD
EPSS 6% CVSS 7.5
HIGH This Week

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Spark
NVD
EPSS 66% CVSS 4.2
MEDIUM POC THREAT This Month

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Spark
NVD
EPSS 5% CVSS 5.4
MEDIUM POC PATCH This Month

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +4
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running. Rated medium severity (CVSS 4.7). No vendor patch available.

Apache Information Disclosure Spark
NVD
EPSS 5% CVSS 5.3
MEDIUM PATCH This Month

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Spark
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Cisco Spark
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache RCE +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Microsoft Apache +1
NVD
EPSS 6% CVSS 7.5
HIGH POC PATCH This Week

Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Spark
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The REST interface in Cisco Spark 2015-06 allows remote attackers to cause a denial of service (resource outage) by accessing an administrative page, aka Bug ID CSCuv84125. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Privilege Escalation Denial Of Service +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The REST interface in Cisco Spark 2015-06 allows remote authenticated users to obtain sensitive information via a request for an unspecified file, aka Bug ID CSCuv84048. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Information Disclosure Spark
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The REST interface in Cisco Spark 2015-07-04 allows remote attackers to bypass intended access restrictions and create arbitrary user accounts via unspecified web requests, aka Bug ID CSCuv72584. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Privilege Escalation Spark
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Cisco Spark application 2015-07-04 for mobile operating systems does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Cisco Information Disclosure Spark
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy