Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-10099

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Published

2019-08-07T17:15:12.073

Last Modified

2024-11-21T04:18:24.237

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-312
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache spark ≤ 1.6.3 Yes
Application apache spark ≤ 2.0.2 Yes
Application apache spark ≤ 2.1.3 Yes
Application apache spark ≤ 2.2.2 Yes
Application apache spark < 2.3.2 Yes
References