Every CVE whose affected-product data names Apache Spark, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (22)
CVE-2018-17190 — CVSS 9.8 (critical): In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on…
CVE-2020-9480 — CVSS 9.8 (critical): In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate)…
CVE-2019-20445 — CVSS 9.1 (critical): HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a…
CVE-2025-54920 — CVSS 8.8 (high): This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes…
CVE-2023-32007 — CVSS 8.8 (high): ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable…
CVE-2017-12612 — CVSS 7.8 (high): In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications…
CVE-2021-38296 — CVSS 7.5 (high): Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions…
CVE-2019-10099 — CVSS 7.5 (high): Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true…
CVE-2019-10172 — CVSS 7.5 (high): A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also…
CVE-2018-11804 — CVSS 7.5 (high): Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation…
CVE-2025-55039 — CVSS 6.5 (medium): This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure…
CVE-2023-22946 — CVSS 6.4 (medium): In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The…
CVE-2017-7678 — CVSS 6.1 (medium): In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting…
CVE-2024-23945 — CVSS 5.9 (medium): Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity…
CVE-2018-11760 — CVSS 5.5 (medium): When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the…
CVE-2022-31777 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute…
CVE-2018-8024 — CVSS 5.4 (medium): In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark…
CVE-2020-27223 — CVSS 5.2 (medium): In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple…
CVE-2020-27218 — CVSS 4.8 (medium): In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request…
CVE-2018-1334 — CVSS 4.7 (medium): In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to…
CVE-2018-11770 — CVSS 4.2 (medium): From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism…