Apache Spark
22 CVEs affecting Apache Spark. Latest disclosed: 2026-03-16. Critical: 3, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-9480 | Critical | 9.8 | 2020-06-23 | In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret… |
CVE-2018-17190 | Critical | 9.8 | 2018-11-19 | In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The ma… |
CVE-2019-20445 | Critical | 9.1 | 2020-01-29 | HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding hea… |
CVE-2025-54920 | High | 8.8 | 2026-03-16 | This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summ… |
CVE-2023-32007 | High | 8.8 | 2023-05-02 | ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authenticatio… |
CVE-2022-33891 | High | 8.8 | 2022-07-18 | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a… |
CVE-2017-12612 | High | 7.8 | 2017-09-13 | In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmat… |
CVE-2021-38296 | High | 7.5 | 2022-03-10 | Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it u… |
CVE-2019-10172 | High | 7.5 | 2019-11-18 | A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus ja… |
CVE-2019-10099 | High | 7.5 | 2019-08-07 | Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cach… |
CVE-2018-11804 | High | 7.5 | 2018-10-24 | Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been include… |
CVE-2025-55039 | Medium | 6.5 | 2025-10-15 | This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network… |
CVE-2023-22946 | Medium | 6.4 | 2023-04-17 | In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute… |
CVE-2017-7678 | Medium | 6.1 | 2017-07-12 | In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points t… |
CVE-2024-23945 | Medium | 5.9 | 2024-12-23 | Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps p… |
CVE-2018-11760 | Medium | 5.5 | 2019-02-04 | When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This… |
CVE-2022-31777 | Medium | 5.4 | 2022-11-01 | A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the… |
CVE-2018-8024 | Medium | 5.4 | 2018-07-12 | In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and sta… |
CVE-2020-27223 | Medium | 5.2 | 2021-02-26 | In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a lar… |
CVE-2020-27218 | Medium | 4.8 | 2020-11-28 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is ena… |