All the vulnerabilites related to apache - spark
cve-2022-31777
Vulnerability from cvelistv5
Published
2022-11-01 00:00
Modified
2024-08-03 07:26
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 3.3.0 Version: 3.2.1 and earlier < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"
},
{
"name": "[oss-security] 20221101 CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "3.2.1 and earlier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Florian Walter (Veracode)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-21T10:47:08.273Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"
},
{
"name": "[oss-security] 20221101 CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"
}
],
"source": {
"defect": [
"SPARK-39505"
],
"discovery": "UNKNOWN"
},
"title": "Apache Spark XSS vulnerability in log viewer UI Javascript",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache Spark maintenance releases 3.2.2, or 3.3.1 or later"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-31777",
"datePublished": "2022-11-01T00:00:00",
"dateReserved": "2022-05-27T00:00:00",
"dateUpdated": "2024-08-03T07:26:01.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20445
Vulnerability from cvelistv5
Published
2020-01-29 20:33
Modified
2024-08-05 02:39
Severity ?
EPSS score ?
Summary
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:10.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/issues/9861"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "RHSA-2020:0601",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-24T10:06:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/issues/9861"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "RHSA-2020:0601",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20445",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final",
"refsource": "MISC",
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"name": "https://github.com/netty/netty/issues/9861",
"refsource": "MISC",
"url": "https://github.com/netty/netty/issues/9861"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "RHSA-2020:0601",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E"
},
{
"name": "[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20445",
"datePublished": "2020-01-29T20:33:03",
"dateReserved": "2020-01-29T00:00:00",
"dateUpdated": "2024-08-05T02:39:10.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-11760
Vulnerability from cvelistv5
Published
2019-02-04 17:00
Modified
2024-09-16 19:19
Severity ?
EPSS score ?
Summary
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/106786 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: Apache Spark 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106786",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106786"
},
{
"name": "[user@spark.apache.org] 20190128 [SECURITY] CVE-2018-11760: Apache Spark local privilege escalation vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20190806 [spark-website] branch asf-site updated: CVE-2019-10099",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Spark 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1"
}
]
}
],
"datePublic": "2019-01-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When using PySpark , it\u0027s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Privileges",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-06T16:06:19",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "106786",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106786"
},
{
"name": "[user@spark.apache.org] 20190128 [SECURITY] CVE-2018-11760: Apache Spark local privilege escalation vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20190806 [spark-website] branch asf-site updated: CVE-2019-10099",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-01-28T00:00:00",
"ID": "CVE-2018-11760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "Apache Spark 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When using PySpark , it\u0027s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106786",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106786"
},
{
"name": "[user@spark.apache.org] 20190128 [SECURITY] CVE-2018-11760: Apache Spark local privilege escalation vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20190806 [spark-website] branch asf-site updated: CVE-2019-10099",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11760",
"datePublished": "2019-02-04T17:00:00Z",
"dateReserved": "2018-06-05T00:00:00",
"dateUpdated": "2024-09-16T19:19:24.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38296
Vulnerability from cvelistv5
Published
2022-03-10 08:20
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: up to and including version 3.1.2 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:37:16.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "up to and including version 3.1.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Steve Weis (Databricks)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:31:48",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Spark Key Negotiation Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-38296",
"STATE": "PUBLIC",
"TITLE": "Apache Spark Key Negotiation Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "up to and including version 3.1.2",
"version_value": "3.1.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Steve Weis (Databricks)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-294 Authentication Bypass by Capture-replay"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-38296",
"datePublished": "2022-03-10T08:20:12",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-04T01:37:16.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-33891
Vulnerability from cvelistv5
Published
2022-07-18 00:00
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 3.0.3 and earlier < Version: 3.1.1 to 3.1.2 < Version: 3.2.0 to 3.2.1 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:09:22.687Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.0.3",
"status": "affected",
"version": "3.0.3 and earlier",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "3.1.1 to 3.1.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.2.1",
"status": "affected",
"version": "3.2.0 to 3.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": " Kostya Kortchinsky (Databricks)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T08:13:36.397Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"source": {
"defect": [
"SPARK-38992"
],
"discovery": "UNKNOWN"
},
"title": "Apache Spark shell command injection vulnerability via Spark UI",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-33891",
"datePublished": "2022-07-18T00:00:00",
"dateReserved": "2022-06-17T00:00:00",
"dateUpdated": "2024-08-03T08:09:22.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-10172
Vulnerability from cvelistv5
Published
2019-11-18 16:16
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Redhat | jackson-mapper-asl |
Version: 1.9.x |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172"
},
{
"name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
},
{
"name": "[cassandra-commits] 20200407 [jira] [Created] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200413 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200420 [jira] [Updated] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200420 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200420 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200818 [jira] [Updated] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200818 [jira] [Created] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200819 [jira] [Updated] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200824 [SECURITY] [DLA 2342-1] libjackson-json-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html"
},
{
"name": "[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200825 [jira] [Updated] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200825 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200901 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200901 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[spark-issues] 20210223 [jira] [Created] (SPARK-34511) Current Security vulnerabilities in spark libraries",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[hadoop-user] 20210317 jackson-mapper-asl vulnerability at Hadoop",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Updated] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Assigned] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210318 [jira] [Created] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Commented] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210318 CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Comment Edited] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210320 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hive-issues] 20210729 [jira] [Resolved] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210906 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210907 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210920 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210921 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210924 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210924 [jira] [Updated] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210926 [jira] [Commented] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210927 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210927 [jira] [Updated] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210927 [jira] [Assigned] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jackson-mapper-asl",
"vendor": "Redhat",
"versions": [
{
"status": "affected",
"version": "1.9.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T09:06:11",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172"
},
{
"name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
},
{
"name": "[cassandra-commits] 20200407 [jira] [Created] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200413 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200420 [jira] [Updated] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200420 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200420 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200818 [jira] [Updated] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200818 [jira] [Created] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200819 [jira] [Updated] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200824 [SECURITY] [DLA 2342-1] libjackson-json-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html"
},
{
"name": "[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200825 [jira] [Updated] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200825 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200901 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200901 [jira] [Commented] (CASSANDRA-15701) Does Cassandra 3.11.3/3.11.5 is affected by CVE-2019-10712 or not ?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[spark-issues] 20210223 [jira] [Created] (SPARK-34511) Current Security vulnerabilities in spark libraries",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[hadoop-user] 20210317 jackson-mapper-asl vulnerability at Hadoop",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Updated] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Assigned] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210318 [jira] [Created] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Commented] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210318 CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210318 [jira] [Comment Edited] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210320 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hive-issues] 20210729 [jira] [Resolved] (HIVE-24904) CVE-2019-10172,CVE-2019-10202 vulnerabilities in jackson-mapper-asl-1.9.13.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210906 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210907 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210920 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210921 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210924 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210924 [jira] [Updated] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210926 [jira] [Commented] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210927 [jira] [Commented] (HADOOP-17225) Update jackson-mapper-asl-1.9.13 to atlassian version to mitigate: CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210927 [jira] [Updated] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210927 [jira] [Assigned] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10172",
"datePublished": "2019-11-18T16:16:02",
"dateReserved": "2019-03-27T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22946
Vulnerability from cvelistv5
Published
2023-04-17 07:30
Modified
2024-10-21 15:06
Severity ?
EPSS score ?
Summary
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 0 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:31.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T15:06:49.411118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T15:06:58.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hideyuki Furue"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Yi Wu (Databricks)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eIn Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a \u0027proxy-user\u0027 to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.\u003c/div\u003e\u003cdiv\u003eUpdate to Apache Spark 3.4.0 or later, and ensure that \nspark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its \ndefault of \"false\", and is not overridden by submitted applications.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a \u0027proxy-user\u0027 to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.\n\nUpdate to Apache Spark 3.4.0 or later, and ensure that \nspark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its \ndefault of \"false\", and is not overridden by submitted applications.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-17T07:30:19.865Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv"
}
],
"source": {
"defect": [
"SPARK-41958"
],
"discovery": "EXTERNAL"
},
"title": "Apache Spark proxy-user privilege escalation from malicious configuration class",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22946",
"datePublished": "2023-04-17T07:30:19.865Z",
"dateReserved": "2023-01-11T01:18:53.321Z",
"dateUpdated": "2024-10-21T15:06:58.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-10099
Vulnerability from cvelistv5
Published
2019-08-07 16:18
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache | Apache Spark |
Version: 2.3.2 and below |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20200318 [jira] [Commented] (SPARK-28626) Spark leaves unencrypted data on local disk, even with encryption turned on (CVE-2019-10099)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20200622 [spark-website] branch asf-site updated: CVE-2020-9480 details (#275)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae%40%3Ccommits.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "2.3.2 and below"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unencrypted data",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-22T23:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20200318 [jira] [Commented] (SPARK-28626) Spark leaves unencrypted data on local disk, even with encryption turned on (CVE-2019-10099)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20200622 [spark-website] branch asf-site updated: CVE-2020-9480 details (#275)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae%40%3Ccommits.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10099",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "2.3.2 and below"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unencrypted data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20200318 [jira] [Commented] (SPARK-28626) Spark leaves unencrypted data on local disk, even with encryption turned on (CVE-2019-10099)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20200622 [spark-website] branch asf-site updated: CVE-2020-9480 details (#275)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10099",
"datePublished": "2019-08-07T16:18:46",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-11804
Vulnerability from cvelistv5
Published
2018-10-24 00:00
Modified
2024-08-05 08:17
Severity ?
EPSS score ?
Summary
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://spark.apache.org/security.html#CVE-2018-11804 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/105756 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 1.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20181024 CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11804"
},
{
"name": "105756",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105756"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.*",
"status": "affected",
"version": "1.3.0",
"versionType": "maven"
}
]
}
],
"datePublic": "2018-10-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spark\u0027s Apache Maven-based build includes a convenience script, \u0027build/mvn\u0027, that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T10:21:23.191Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20181024 CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11804"
},
{
"name": "105756",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105756"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-10-24T00:00:00",
"ID": "CVE-2018-11804",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "branches 1.3.x and later, including master"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spark\u0027s Apache Maven-based build includes a convenience script, \u0027build/mvn\u0027, that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20181024 CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@%3Cdev.spark.apache.org%3E"
},
{
"name": "https://spark.apache.org/security.html#CVE-2018-11804",
"refsource": "CONFIRM",
"url": "https://spark.apache.org/security.html#CVE-2018-11804"
},
{
"name": "105756",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105756"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11804",
"datePublished": "2018-10-24T00:00:00",
"dateReserved": "2018-06-05T00:00:00",
"dateUpdated": "2024-08-05T08:17:09.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-8024
Vulnerability from cvelistv5
Published
2018-07-12 13:00
Modified
2024-09-17 02:10
Severity ?
EPSS score ?
Summary
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
References
| ▼ | URL | Tags |
|---|---|---|
| https://spark.apache.org/security.html#CVE-2018-8024 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 1.0.0 to 2.1.2 Version: 2.2.0 to 2.2.1 Version: 2.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://spark.apache.org/security.html#CVE-2018-8024"
},
{
"name": "[dev] 20180711 CVE-2018-8024 Apache Spark XSS vulnerability in UI",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0 to 2.1.2"
},
{
"status": "affected",
"version": "2.2.0 to 2.2.1"
},
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"datePublic": "2018-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it\u0027s possible for a malicious user to construct a URL pointing to a Spark cluster\u0027s UI\u0027s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user\u0027s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS) Flaw",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://spark.apache.org/security.html#CVE-2018-8024"
},
{
"name": "[dev] 20180711 CVE-2018-8024 Apache Spark XSS vulnerability in UI",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-07-11T00:00:00",
"ID": "CVE-2018-8024",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "1.0.0 to 2.1.2"
},
{
"version_value": "2.2.0 to 2.2.1"
},
{
"version_value": "2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it\u0027s possible for a malicious user to construct a URL pointing to a Spark cluster\u0027s UI\u0027s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user\u0027s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS) Flaw"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://spark.apache.org/security.html#CVE-2018-8024",
"refsource": "CONFIRM",
"url": "https://spark.apache.org/security.html#CVE-2018-8024"
},
{
"name": "[dev] 20180711 CVE-2018-8024 Apache Spark XSS vulnerability in UI",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8024",
"datePublished": "2018-07-12T13:00:00Z",
"dateReserved": "2018-03-09T00:00:00",
"dateUpdated": "2024-09-17T02:10:38.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-12612
Vulnerability from cvelistv5
Published
2017-09-13 16:00
Modified
2024-08-05 18:43
Severity ?
EPSS score ?
Summary
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/100823 | vdb-entry, x_refsource_BID | |
| https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "100823",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100823"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "100823",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100823"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-12612",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "100823",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100823"
},
{
"name": "https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E",
"refsource": "MISC",
"url": "https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-12612",
"datePublished": "2017-09-13T16:00:00",
"dateReserved": "2017-08-07T00:00:00",
"dateUpdated": "2024-08-05T18:43:56.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-9480
Vulnerability from cvelistv5
Published
2020-06-23 21:50
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
References
| ▼ | URL | Tags |
|---|---|---|
| https://spark.apache.org/security.html#CVE-2020-9480 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: Apache Spark 2.4.5 and earlier |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://spark.apache.org/security.html#CVE-2020-9480"
},
{
"name": "[spark-user] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-dev] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E"
},
{
"name": "[submarine-commits] 20201209 [GitHub] [submarine] QiAnXinCodeSafe opened a new issue #475: There is a vulnerability in Apache Spark 2.3.4,upgrade recommended",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E"
},
{
"name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5593: [FE][Bug] Update Spark version to fix a security issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Spark 2.4.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 2.4.5 and earlier, a standalone resource manager\u0027s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application\u0027s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-14T17:20:25",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://spark.apache.org/security.html#CVE-2020-9480"
},
{
"name": "[spark-user] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-dev] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E"
},
{
"name": "[submarine-commits] 20201209 [GitHub] [submarine] QiAnXinCodeSafe opened a new issue #475: There is a vulnerability in Apache Spark 2.3.4,upgrade recommended",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E"
},
{
"name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5593: [FE][Bug] Update Spark version to fix a security issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-9480",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "Apache Spark 2.4.5 and earlier"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Spark 2.4.5 and earlier, a standalone resource manager\u0027s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application\u0027s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://spark.apache.org/security.html#CVE-2020-9480",
"refsource": "CONFIRM",
"url": "https://spark.apache.org/security.html#CVE-2020-9480"
},
{
"name": "[spark-user] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b@%3Cuser.spark.apache.org%3E"
},
{
"name": "[spark-dev] 20200803 Re: CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2@%3Cdev.spark.apache.org%3E"
},
{
"name": "[submarine-commits] 20201209 [GitHub] [submarine] QiAnXinCodeSafe opened a new issue #475: There is a vulnerability in Apache Spark 2.3.4,upgrade recommended",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d@%3Ccommits.submarine.apache.org%3E"
},
{
"name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5593: [FE][Bug] Update Spark version to fix a security issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b@%3Ccommits.doris.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-9480",
"datePublished": "2020-06-23T21:50:51",
"dateReserved": "2020-03-01T00:00:00",
"dateUpdated": "2024-08-04T10:26:16.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32007
Vulnerability from cvelistv5
Published
2023-05-02 08:37
Modified
2024-10-15 18:08
Severity ?
EPSS score ?
Summary
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 3.1.1 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33891"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://spark.apache.org/security.html"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "spark",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T18:07:28.600128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:08:50.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.1.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Sven Krewitt, Flashpoint"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.\u003c/div\u003e\u003cdiv\u003eNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\u003c/div\u003e\u003cdiv\u003eUsers are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n\nUsers are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-02T08:37:22.118Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33891"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://spark.apache.org/security.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Spark: Shell command injection via Spark UI",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-32007",
"datePublished": "2023-05-02T08:37:22.118Z",
"dateReserved": "2023-05-01T15:03:52.353Z",
"dateUpdated": "2024-10-15T18:08:50.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-17190
Vulnerability from cvelistv5
Published
2018-11-19 14:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/105976 | vdb-entry, x_refsource_BID | |
| https://security.gentoo.org/glsa/201903-21 | vendor-advisory, x_refsource_GENTOO | |
| https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC | |
| https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: All versions |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:39:59.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105976",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105976"
},
{
"name": "GLSA-201903-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201903-21"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2018-11-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In all versions of Apache Spark, its standalone resource manager accepts code to execute on a \u0027master\u0027 host, that then runs that code on \u0027worker\u0027 hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-15T02:22:57",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "105976",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105976"
},
{
"name": "GLSA-201903-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201903-21"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-17190",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all versions of Apache Spark, its standalone resource manager accepts code to execute on a \u0027master\u0027 host, that then runs that code on \u0027worker\u0027 hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105976",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105976"
},
{
"name": "GLSA-201903-21",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201903-21"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5@%3Cdev.spark.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5@%3Cdev.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-17190",
"datePublished": "2018-11-19T14:00:00",
"dateReserved": "2018-09-19T00:00:00",
"dateUpdated": "2024-08-05T10:39:59.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-7678
Vulnerability from cvelistv5
Published
2017-07-12 13:00
Modified
2024-08-05 16:12
Severity ?
EPSS score ?
Summary
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
References
| ▼ | URL | Tags |
|---|---|---|
| http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/99603 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.760Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170712 CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html"
},
{
"name": "99603",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99603"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user\u0027s trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-18T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170712 CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html"
},
{
"name": "99603",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99603"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-7678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user\u0027s trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170712 CVE-2017-7678 Apache Spark XSS web UI MHTML vulnerability",
"refsource": "MLIST",
"url": "http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html"
},
{
"name": "99603",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99603"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7678",
"datePublished": "2017-07-12T13:00:00",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-08-05T16:12:27.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1334
Vulnerability from cvelistv5
Published
2018-07-12 13:00
Modified
2024-09-17 03:22
Severity ?
EPSS score ?
Summary
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://spark.apache.org/security.html#CVE-2018-1334 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 1.0.0 to 2.1.2 Version: 2.2.0 to 2.2.1 Version: 2.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://spark.apache.org/security.html#CVE-2018-1334"
},
{
"name": "[dev] 20180711 CVE-2018-1334 Apache Spark local privilege escalation vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0 to 2.1.2"
},
{
"status": "affected",
"version": "2.2.0 to 2.2.1"
},
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"datePublic": "2018-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it\u0027s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-12T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://spark.apache.org/security.html#CVE-2018-1334"
},
{
"name": "[dev] 20180711 CVE-2018-1334 Apache Spark local privilege escalation vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-07-11T00:00:00",
"ID": "CVE-2018-1334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "1.0.0 to 2.1.2"
},
{
"version_value": "2.2.0 to 2.2.1"
},
{
"version_value": "2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it\u0027s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://spark.apache.org/security.html#CVE-2018-1334",
"refsource": "CONFIRM",
"url": "https://spark.apache.org/security.html#CVE-2018-1334"
},
{
"name": "[dev] 20180711 CVE-2018-1334 Apache Spark local privilege escalation vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1334",
"datePublished": "2018-07-12T13:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-17T03:22:59.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-11770
Vulnerability from cvelistv5
Published
2018-08-13 00:00
Modified
2024-08-05 08:17
Severity ?
EPSS score ?
Summary
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
References
| ▼ | URL | Tags |
|---|---|---|
| https://spark.apache.org/security.html#CVE-2018-11770 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/105097 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache Spark |
Version: 1.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11770"
},
{
"name": "[dev] 20180813 CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E"
},
{
"name": "105097",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105097"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.3.0",
"versionType": "maven"
}
]
}
],
"datePublic": "2018-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "From version 1.3.0 onward, Apache Spark\u0027s standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property \u0027spark.authenticate.secret\u0027 establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting \u0027spark.authenticate.secret\u0027 when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of \u0027spark.master.rest.enabled\u0027 to \u0027false\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T10:26:39.838Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11770"
},
{
"name": "[dev] 20180813 CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E"
},
{
"name": "105097",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105097"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-08-13T00:00:00",
"ID": "CVE-2018-11770",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Spark",
"version": {
"version_data": [
{
"version_value": "1.3.0 and later"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "From version 1.3.0 onward, Apache Spark\u0027s standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property \u0027spark.authenticate.secret\u0027 establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting \u0027spark.authenticate.secret\u0027 when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of \u0027spark.master.rest.enabled\u0027 to \u0027false\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://spark.apache.org/security.html#CVE-2018-11770",
"refsource": "CONFIRM",
"url": "https://spark.apache.org/security.html#CVE-2018-11770"
},
{
"name": "[dev] 20180813 CVE-2018-11770: Apache Spark standalone master, Mesos REST APIs not controlled by authentication",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485@%3Cdev.spark.apache.org%3E"
},
{
"name": "105097",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105097"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11770",
"datePublished": "2018-08-13T00:00:00",
"dateReserved": "2018-06-05T00:00:00",
"dateUpdated": "2024-08-05T08:17:09.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-27223
Vulnerability from cvelistv5
Published
2021-02-26 21:55
Modified
2024-08-04 16:11
Severity ?
EPSS score ?
Summary
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.6.v20170531 < unspecified Version: unspecified < Version: 10.0.0 Version: 11.0.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
},
{
"name": "[karaf-user] 20210301 Re: Jetty security defect",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea%40%3Cuser.karaf.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr opened a new pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[druid-commits] 20210302 [GitHub] [druid] a2l007 opened a new pull request #10937: Upgrade jetty to latest version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.8 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210303 [GitHub] [activemq] ehossack-aws opened a new pull request #616: Upgrade to Jetty 9.4.38.v20210224",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210307 [jira] [Updated] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210307 [jira] [Created] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210307 [jira] [Created] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210308 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210308 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on a change in pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg closed pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg closed pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on a change in pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] arshadmohammad commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210310 [GitHub] [zookeeper] asfgit closed pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210310 [jira] [Resolved] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch branch-3.7.0 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch master updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[solr-users] 20210310 Does CVE-2020-27223 impact Solr 8.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Created] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7%40%3Cissues.nifi.apache.org%3E"
},
{
"name": "[lucene-dev] 20210310 Does CVE-2020-27223 impact Solr 8.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Resolved] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f%40%3Cissues.nifi.apache.org%3E"
},
{
"name": "[lucene-dev] 20210310 Re: Does CVE-2020-27223 impact Solr 8.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Commented] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb%40%3Cissues.nifi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1%40%3Cdev.kafka.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Assigned] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] xkrogen opened a new pull request #31846: [SPARK-34752] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] AmplabJenkins commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Updated] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Commented] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Created] (SPARK-34752) Upgrade Jetty to 9.3.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Updated] (SPARK-34752) Upgrade Jetty to 9.3.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Resolved] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] HyukjinKwon commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] HyukjinKwon closed pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210316 [GitHub] [spark] xkrogen commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[solr-issues] 20210407 [jira] [Created] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210401-0005/"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f%40%3Cissues.solr.apache.org%3E"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r65c714241b9d064a44fec10d60ebf5a37d5ebadd6bf88b0eed13ade0%40%3Cissues.solr.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "9.4.6.v20170531",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4.36.v20210114",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "10.0.0"
},
{
"status": "affected",
"version": "11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of \u201cquality\u201d (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-13T18:06:11",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
},
{
"name": "[karaf-user] 20210301 Re: Jetty security defect",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea%40%3Cuser.karaf.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr opened a new pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[druid-commits] 20210302 [GitHub] [druid] a2l007 opened a new pull request #10937: Upgrade jetty to latest version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.8 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210303 [GitHub] [activemq] ehossack-aws opened a new pull request #616: Upgrade to Jetty 9.4.38.v20210224",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210307 [jira] [Updated] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210307 [jira] [Created] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210307 [jira] [Created] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210308 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210308 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on a change in pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg closed pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg closed pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on a change in pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] arshadmohammad commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210310 [GitHub] [zookeeper] asfgit closed pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210310 [jira] [Resolved] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch branch-3.7.0 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch master updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[solr-users] 20210310 Does CVE-2020-27223 impact Solr 8.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Created] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7%40%3Cissues.nifi.apache.org%3E"
},
{
"name": "[lucene-dev] 20210310 Does CVE-2020-27223 impact Solr 8.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Resolved] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f%40%3Cissues.nifi.apache.org%3E"
},
{
"name": "[lucene-dev] 20210310 Re: Does CVE-2020-27223 impact Solr 8.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Commented] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb%40%3Cissues.nifi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1%40%3Cdev.kafka.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Assigned] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] xkrogen opened a new pull request #31846: [SPARK-34752] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] AmplabJenkins commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Updated] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Commented] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Created] (SPARK-34752) Upgrade Jetty to 9.3.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Updated] (SPARK-34752) Upgrade Jetty to 9.3.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Resolved] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] HyukjinKwon commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] HyukjinKwon closed pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210316 [GitHub] [spark] xkrogen commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[solr-issues] 20210407 [jira] [Created] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210401-0005/"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f%40%3Cissues.solr.apache.org%3E"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r65c714241b9d064a44fec10d60ebf5a37d5ebadd6bf88b0eed13ade0%40%3Cissues.solr.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2020-27223",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "9.4.6.v20170531"
},
{
"version_affected": "\u003c=",
"version_value": "9.4.36.v20210114"
},
{
"version_affected": "=",
"version_value": "10.0.0"
},
{
"version_affected": "=",
"version_value": "11.0.0"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of \u201cquality\u201d (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values."
}
]
},
"impact": {
"cvss": {
"baseScore": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-407: Inefficient Algorithmic Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128",
"refsource": "CONFIRM",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128"
},
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
},
{
"name": "[karaf-user] 20210301 Re: Jetty security defect",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea@%3Cuser.karaf.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr opened a new pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[druid-commits] 20210302 [GitHub] [druid] a2l007 opened a new pull request #10937: Upgrade jetty to latest version",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.8 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20210303 [GitHub] [activemq] ehossack-aws opened a new pull request #616: Upgrade to Jetty 9.4.38.v20210224",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc@%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210307 [jira] [Updated] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210307 [jira] [Created] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210307 [jira] [Created] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210308 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210308 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210308 [GitHub] [zookeeper] arshadmohammad commented on a change in pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg closed pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1624: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg closed pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1625: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] ztzg commented on a change in pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210309 [GitHub] [zookeeper] arshadmohammad commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210310 [GitHub] [zookeeper] asfgit closed pull request #1623: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210310 [jira] [Resolved] (ZOOKEEPER-4233) dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch branch-3.7.0 updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210310 [zookeeper] branch master updated: ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[solr-users] 20210310 Does CVE-2020-27223 impact Solr 8.6.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320@%3Cusers.solr.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Created] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7@%3Cissues.nifi.apache.org%3E"
},
{
"name": "[lucene-dev] 20210310 Does CVE-2020-27223 impact Solr 8.6.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Resolved] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f@%3Cissues.nifi.apache.org%3E"
},
{
"name": "[lucene-dev] 20210310 Re: Does CVE-2020-27223 impact Solr 8.6.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[nifi-issues] 20210310 [jira] [Commented] (NIFI-8309) Update to latest Jetty due to reported CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb@%3Cissues.nifi.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Assigned] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] xkrogen opened a new pull request #31846: [SPARK-34752] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] AmplabJenkins commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Updated] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Commented] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Created] (SPARK-34752) Upgrade Jetty to 9.3.37 to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Updated] (SPARK-34752) Upgrade Jetty to 9.3.37 to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210315 [jira] [Resolved] (SPARK-34752) Upgrade Jetty to 9.4.37 to fix CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] HyukjinKwon commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210315 [GitHub] [spark] HyukjinKwon closed pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210316 [GitHub] [spark] xkrogen commented on pull request #31846: [SPARK-34752][BUILD] Bump Jetty to 9.4.37 to address CVE-2020-27223",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8@%3Creviews.spark.apache.org%3E"
},
{
"name": "[solr-issues] 20210407 [jira] [Created] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211@%3Cissues.solr.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210401-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210401-0005/"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f@%3Cissues.solr.apache.org%3E"
},
{
"name": "DSA-4949",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r65c714241b9d064a44fec10d60ebf5a37d5ebadd6bf88b0eed13ade0@%3Cissues.solr.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2020-27223",
"datePublished": "2021-02-26T21:55:13",
"dateReserved": "2020-10-19T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-27218
Vulnerability from cvelistv5
Published
2020-11-28 00:00
Modified
2024-08-04 16:11
Severity ?
EPSS score ?
Summary
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.0.RC0 to 9.4.34.v20201102 Version: 10.0.0.alpha0 to 10.0.0.beta2 Version: 11.0.0.alpha0 to 11.0.0.beta2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg opened a new pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] phunt commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg opened a new pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg opened a new pull request #1553: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20201206 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] nkalmar commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] nkalmar commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] ztzg commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] ztzg commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] nkalmar commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] nkalmar commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201211 [GitHub] [zookeeper] nkalmar commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201215 [GitHub] [zookeeper] phunt commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg closed pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20201224 [zookeeper] branch master updated: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] eolivelli commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg closed pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20201224 [jira] [Resolved] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg commented on pull request #1553: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg closed pull request #1553: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[hbase-dev] 20210205 [jira] [Created] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [jira] [Created] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] pankaj72981 opened a new pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [jira] [Work started] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [jira] [Updated] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] busbey commented on a change in pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] busbey commented on pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] jojochuang commented on a change in pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210206 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210206 [hbase-thirdparty] branch master updated: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210206 [jira] [Resolved] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210206 [GitHub] [hbase-thirdparty] busbey closed pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210206 [jira] [Resolved] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[kafka-jira] 20210211 [jira] [Created] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210211 [jira] [Created] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210212 [jira] [Assigned] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210212 [jira] [Commented] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] sarutak opened a new pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210216 [jira] [Created] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] sarutak commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210216 [jira] [Commented] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210216 [jira] [Assigned] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] SparkQA commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] dongjoon-hyun commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] AmplabJenkins commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] sarutak edited a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] HyukjinKwon commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] sarutak commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] SparkQA commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] SparkQA removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] AmplabJenkins commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] srowen commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak edited a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210218 [spark] branch branch-3.1 updated: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] HyukjinKwon closed pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] HyukjinKwon commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210218 [spark] branch branch-3.0 updated: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak opened a new pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210218 [jira] [Commented] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] srowen commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] SparkQA commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] SparkQA removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] AmplabJenkins commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] HyukjinKwon closed pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210219 [jira] [Resolved] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] HyukjinKwon commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210219 [spark] branch branch-2.4 updated: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210222 [jira] [Updated] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] dongjinleekr opened a new pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] dongjinleekr commented on pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] ijuma commented on pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] omkreddy closed pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210222 [kafka] branch 2.7 updated: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [jira] [Resolved] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210222 [kafka] branch 2.8 updated: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210222 [jira] [Resolved] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210222 [kafka] branch 2.6 updated: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[nifi-commits] 20210222 svn commit: r1886814 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201218-0003/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"status": "affected",
"version": "9.4.0.RC0 to 9.4.34.v20201102"
},
{
"status": "affected",
"version": "10.0.0.alpha0 to 10.0.0.beta2"
},
{
"status": "affected",
"version": "11.0.0.alpha0 to 11.0.0.beta2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-226",
"description": "CWE-226: Sensitive Information in Resource Not Removed Before Reuse",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T21:06:23.588882",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892"
},
{
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg opened a new pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] phunt commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg opened a new pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg opened a new pull request #1553: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201205 [GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20201206 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] nkalmar commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] nkalmar commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] ztzg commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201206 [GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] ztzg commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] nkalmar commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201207 [GitHub] [zookeeper] nkalmar commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201211 [GitHub] [zookeeper] nkalmar commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201215 [GitHub] [zookeeper] phunt commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg closed pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20201224 [zookeeper] branch master updated: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] eolivelli commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg closed pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20201224 [jira] [Resolved] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg commented on pull request #1553: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20201224 [GitHub] [zookeeper] ztzg closed pull request #1553: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[hbase-dev] 20210205 [jira] [Created] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [jira] [Created] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] pankaj72981 opened a new pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [jira] [Work started] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [jira] [Updated] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] busbey commented on a change in pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] busbey commented on pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210205 [GitHub] [hbase-thirdparty] jojochuang commented on a change in pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210206 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210206 [hbase-thirdparty] branch master updated: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210206 [jira] [Resolved] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210206 [GitHub] [hbase-thirdparty] busbey closed pull request #46: HBASE-25552 Upgrade jetty jar to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210206 [jira] [Resolved] (HBASE-25552) [hbase-thirdparty] Update jetty version to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[kafka-jira] 20210211 [jira] [Created] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210211 [jira] [Created] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210212 [jira] [Assigned] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210212 [jira] [Commented] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] sarutak opened a new pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210216 [jira] [Created] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] sarutak commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210216 [jira] [Commented] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210216 [jira] [Assigned] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] SparkQA commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] dongjoon-hyun commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210216 [GitHub] [spark] AmplabJenkins commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] sarutak edited a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] HyukjinKwon commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] sarutak commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] SparkQA commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] SparkQA removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] AmplabJenkins commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210217 [GitHub] [spark] srowen commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak edited a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210218 [spark] branch branch-3.1 updated: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] HyukjinKwon closed pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] HyukjinKwon commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210218 [spark] branch branch-3.0 updated: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins commented on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak opened a new pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210218 [jira] [Commented] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] sarutak commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] SparkQA removed a comment on pull request #31574: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210218 [GitHub] [spark] AmplabJenkins commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] srowen commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] SparkQA commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] SparkQA removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] AmplabJenkins removed a comment on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] AmplabJenkins commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] HyukjinKwon closed pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210219 [jira] [Resolved] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210219 [GitHub] [spark] HyukjinKwon commented on pull request #31583: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210219 [spark] branch branch-2.4 updated: [SPARK-34449][BUILD][2.4] Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210222 [jira] [Updated] (SPARK-34449) Upgrade Jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] dongjinleekr opened a new pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] dongjinleekr commented on pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] ijuma commented on pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [GitHub] [kafka] omkreddy closed pull request #10177: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210222 [kafka] branch 2.7 updated: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210222 [jira] [Resolved] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210222 [kafka] branch 2.8 updated: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210222 [jira] [Resolved] (KAFKA-12324) Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210222 [kafka] branch 2.6 updated: KAFKA-12324: Upgrade jetty to fix CVE-2020-27218",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[nifi-commits] 20210222 svn commit: r1886814 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20201218-0003/"
},
{
"url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E"
},
{
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2020-27218",
"datePublished": "2020-11-28T00:00:00",
"dateReserved": "2020-10-19T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2018-07-12 13:29
Modified
2024-11-21 04:13
Severity ?
Summary
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0C30489-282E-4C5C-B274-BB11EFD9A075",
"versionEndIncluding": "2.1.2",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5B95AEE-9895-43B4-A7B3-82F32E3DF309",
"versionEndIncluding": "2.2.1",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69EA4E44-C122-47DC-8083-FD55B064363A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*",
"matchCriteriaId": "97D4FFCF-5309-43B6-9FD5-680C6D535A7F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it\u0027s possible for a malicious user to construct a URL pointing to a Spark cluster\u0027s UI\u0027s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user\u0027s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not."
},
{
"lang": "es",
"value": "En Apache Spark versi\u00f3n 2.1.0 hasta 2.1.2, versi\u00f3n 2.2.0 hasta 2.2.1 y versi\u00f3n 2.3.0, es posible que un usuario malicioso construya una direcci\u00f3n URL que apunte a las p\u00e1ginas de informaci\u00f3n de trabajo y etapa de la Interfaz de Usuario del cl\u00faster Spark, y si un usuario puede ser enga\u00f1ado para que acceda a la direcci\u00f3n URL, puede ser usado para causar que el script se ejecute y exponga informaci\u00f3n de la vista del usuario de la IU de Spark. Mientras que algunos navegadores como las versiones recientes de Chrome y Safari son capaces de bloquear este tipo de ataque, las versiones actuales de Firefox (y posiblemente otros) no lo hacen."
}
],
"id": "CVE-2018-8024",
"lastModified": "2024-11-21T04:13:07.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-12T13:29:00.273",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-8024"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-8024"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-18 17:15
Modified
2024-11-21 04:18
Severity ?
Summary
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fasterxml | jackson-mapper-asl | * | |
| redhat | jboss_enterprise_application_platform | 7.0 | |
| redhat | jboss_fuse | 7.0.0 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| apache | spark | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fasterxml:jackson-mapper-asl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5946E031-5234-46C6-BA61-93A886C8BE8E",
"versionEndIncluding": "1.9.13",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "88BF3B2C-B121-483A-AEF2-8082F6DA5310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9F972DB3-9775-49FE-9D84-D2F287EAB31F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes."
},
{
"lang": "es",
"value": "Se detect\u00f3 un fallo en las bibliotecas org.codehaus.jackson:jackson-mapper-asl:1.9.x. Las vulnerabilidades de tipo XML external entity similares a CVE-2016-3720, tambi\u00e9n afectan a las bibliotecas codehaus jackson-mapper-asl pero en diferentes clases."
}
],
"id": "CVE-2019-10172",
"lastModified": "2024-11-21T04:18:34.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-18T17:15:11.063",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-13 16:29
Modified
2024-11-21 03:09
Severity ?
Summary
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/100823 | Third Party Advisory, VDB Entry | |
| security@apache.org | https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100823 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E | Mailing List, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "58865F90-EC63-4921-96BC-4EE9B534A3F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "06C61354-EBDA-4D5C-B04E-13485603EB4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E516F716-30A9-4B2A-BE27-A8AF590950ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD42625-3551-48FB-8368-A7C3B6AC32ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1720777E-9812-4D9E-A303-5923DF02D483",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34D47F51-C0CC-4626-9EC5-44364725F50E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "46511CBC-8190-44BF-B0DD-F46FEFE0DEEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D6E35193-4C21-4DC6-A1F4-EA484BC81823",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "730BD3AC-64E0-4D06-9F33-A9130210F38A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later."
},
{
"lang": "es",
"value": "En las versiones 1.6.0 a 2.1.1 de Apache Spark, la API de lanzamiento realiza una deserializaci\u00f3n no segura de los datos recibidos por su socket. Esto hace que las aplicaciones ejecutadas de manera program\u00e1tica utilizando la API del lanzador potencialmente vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario por un atacante con acceso a cualquier cuenta de usuario en la m\u00e1quina local. Esto no afecta a las apps ejecutadas por spark-submit o spark-shell. El atacante podr\u00eda ejecutar c\u00f3digo como el usuario que ejecutaba la aplicaci\u00f3n Spark. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.2.0 o posterior."
}
],
"id": "CVE-2017-12612",
"lastModified": "2024-11-21T03:09:53.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-13T16:29:00.477",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100823"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100823"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-24 18:29
Modified
2024-11-21 03:44
Severity ?
Summary
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/105756 | Broken Link, Third Party Advisory, VDB Entry | |
| security@apache.org | https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E | Mailing List, Third Party Advisory | |
| security@apache.org | https://spark.apache.org/security.html#CVE-2018-11804 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105756 | Broken Link, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://spark.apache.org/security.html#CVE-2018-11804 | Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6DDE9C4-1C4F-4C99-A0C5-0B8C55614A67",
"versionEndExcluding": "2.2.3",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CAF602-1980-409A-8949-2F15CDCDF4C6",
"versionEndExcluding": "2.3.3",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spark\u0027s Apache Maven-based build includes a convenience script, \u0027build/mvn\u0027, that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code."
},
{
"lang": "es",
"value": "La build basada en Apache Maven de Spark incluye un script de conveniencia, \"build/mvn\", que descarga y ejecuta un servidor zinc para acelerar la compilaci\u00f3n. Ha sido incluida en las ramas de lanzamiento desde las versiones 1.3.x hasta la master (incluida). El servidor aceptar\u00e1 conexiones de hosts externos por defecto. Una petici\u00f3n especialmente manipulada al servidor zinc podr\u00eda provocar que revele informaci\u00f3n en archivos legibles por la cuenta de desarrollador que ejecuta la build. N\u00f3tese que este problema no afecta a los usuarios finales de Spark, solo a los desarrolladores que construyen Spark desde el c\u00f3digo fuente."
}
],
"id": "CVE-2018-11804",
"lastModified": "2024-11-21T03:44:04.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-24T18:29:00.263",
"references": [
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105756"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105756"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11804"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-11-19 14:29
Modified
2024-11-21 03:54
Severity ?
Summary
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0E85B3-2927-46FC-8FA6-9DBE1A12BCB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In all versions of Apache Spark, its standalone resource manager accepts code to execute on a \u0027master\u0027 host, that then runs that code on \u0027worker\u0027 hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected."
},
{
"lang": "es",
"value": "En todas las versiones de Apache Spark, su gestor independiente de recursos acepta que el c\u00f3digo se ejecute en un host \"master\" que ejecuta dicho c\u00f3digo en los hosts \"worker\". Por dise\u00f1o, el propio master no ejecuta c\u00f3digo del usuario. Sin embargo, una petici\u00f3n especialmente manipulada al master puede provocar que el master tambi\u00e9n lo haga. N\u00f3tese que esto no afecta a los cl\u00fasters independientes con la autenticaci\u00f3n habilitada. Aunque el host master suele tener menos acceso saliente a otros recursos que un worker, la ejecuci\u00f3n de c\u00f3digo en el master sigue siendo inesperada."
}
],
"id": "CVE-2018-17190",
"lastModified": "2024-11-21T03:54:03.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-19T14:29:00.513",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105976"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201903-21"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105976"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201903-21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-29 21:15
Modified
2024-11-21 04:38
Severity ?
Summary
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| netty | netty | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 33 | |
| canonical | ubuntu_linux | 18.04 | |
| redhat | jboss_amq_clients | 2 | |
| redhat | jboss_enterprise_application_platform | 7.2 | |
| redhat | jboss_enterprise_application_platform | 7.3 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| apache | spark | 2.4.7 | |
| apache | spark | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D374B9C-E87A-47F2-AF0C-25D2A6D03E89",
"versionEndExcluding": "4.1.44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_amq_clients:2:*:*:*:*:*:*:*",
"matchCriteriaId": "491FADFF-AE11-4EDE-BD6B-64856292CA62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:2.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "AE120F70-6F8C-474A-B83F-A4F48581CEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "63630C2A-F68C-491B-A5A5-FC15D44927CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header."
},
{
"lang": "es",
"value": "\"El archivo HttpObjectDecoder.java en Netty versiones anteriores a 4.1.44, permite que un encabezado Content-Length est\u00e9 acompa\u00f1ado por un segundo encabezado Content-Length o por un encabezado Transfer-Encoding.\""
}
],
"id": "CVE-2019-20445",
"lastModified": "2024-11-21T04:38:30.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-29T21:15:11.110",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/netty/netty/issues/9861"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/netty/netty/issues/9861"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-04 17:29
Modified
2024-11-21 03:43
Severity ?
Summary
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "348D0E20-6B63-4516-B1A8-46FEE778E07E",
"versionEndIncluding": "1.6.3",
"versionStartIncluding": "1.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFB8C81A-DF11-4616-83C3-67B49BFD5C86",
"versionEndIncluding": "2.0.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF05757C-1031-4F5E-A70E-EDF8ECEBCB86",
"versionEndIncluding": "2.1.3",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D25D5D98-C601-4976-93BC-DEC6CD067CDC",
"versionEndIncluding": "2.2.2",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18C67467-FCD6-40F9-AD69-B363B97C4C7A",
"versionEndIncluding": "2.3.1",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When using PySpark , it\u0027s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1."
},
{
"lang": "es",
"value": "Al utilizar PySpark, es posible que un usuario local diferente se conecte a la aplicaci\u00f3n de Spark y suplante al usuario que ejecuta la aplicaci\u00f3n de Spark. Afecta a las versiones 1.x, 2.0.x, 2.1.x, 2.2.0 a 2.2.2 y desde la 2.3.0 hasta la 2.3.1."
}
],
"id": "CVE-2018-11760",
"lastModified": "2024-11-21T03:43:58.443",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-04T17:29:00.280",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/106786"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/106786"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-17 08:15
Modified
2024-11-21 07:45
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.
Update to Apache Spark 3.4.0 or later, and ensure that
spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its
default of "false", and is not overridden by submitted applications.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E07052F3-5478-49EA-BF6F-25219955A29A",
"versionEndExcluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a \u0027proxy-user\u0027 to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.\n\nUpdate to Apache Spark 3.4.0 or later, and ensure that \nspark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its \ndefault of \"false\", and is not overridden by submitted applications.\n\n\n"
}
],
"id": "CVE-2023-22946",
"lastModified": "2024-11-21T07:45:41.800",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-17T08:15:07.790",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yllfl25xh5tbotjmg93zrq4bzwhqc0gv"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-18 07:15
Modified
2024-11-21 07:08
Severity ?
Summary
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/05/02/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/05/02/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc | Mailing List, Third Party Advisory |
{
"cisaActionDue": "2023-03-28",
"cisaExploitAdd": "2023-03-07",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Apache Spark Command Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC23EB9-9F4E-40BF-B048-51D8DE194C6A",
"versionEndIncluding": "3.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "719242D7-9E8B-4EBE-A3E6-B4DC77E6F3D9",
"versionEndIncluding": "3.1.2",
"versionStartIncluding": "3.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48E12AD0-1B58-4786-B28C-C661B3932736",
"versionEndIncluding": "3.2.1",
"versionStartIncluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1."
},
{
"lang": "es",
"value": "La interfaz de usuario de Apache Spark ofrece la posibilidad de habilitar ACLs por medio de la opci\u00f3n de configuraci\u00f3n spark.acls.enable. Con un filtro de autenticaci\u00f3n, es comprobado si un usuario presenta permisos de acceso para ver o modificar la aplicaci\u00f3n. Si las ACLs est\u00e1n habilitadas, una ruta de c\u00f3digo en HttpSecurityFilter puede permitir que alguien lleve a cabo una suplantaci\u00f3n de identidad proporcionando un nombre de usuario arbitrario. Un usuario malicioso podr\u00eda entonces ser capaz de llegar a una funci\u00f3n de comprobaci\u00f3n de permisos que finalmente construir\u00e1 un comando de shell Unix basado en su entrada, y lo ejecutar\u00e1. Esto resultar\u00e1 en la ejecuci\u00f3n de un comando shell arbitrario como el usuario con el que Spark se est\u00e1 ejecutando actualmente. Esto afecta a las versiones de Apache Spark 3.0.3 y anteriores, a las versiones 3.1.1 a 3.1.2 y a las versiones 3.2.0 a 3.2.1"
}
],
"id": "CVE-2022-33891",
"lastModified": "2024-11-21T07:08:32.510",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-18T07:15:07.600",
"references": [
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-28 01:15
Modified
2024-11-21 05:20
Severity ?
Summary
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eclipse | jetty | * | |
| eclipse | jetty | 10.0.0 | |
| eclipse | jetty | 10.0.0 | |
| eclipse | jetty | 10.0.0 | |
| eclipse | jetty | 10.0.0 | |
| eclipse | jetty | 10.0.0 | |
| eclipse | jetty | 11.0.0 | |
| eclipse | jetty | 11.0.0 | |
| eclipse | jetty | 11.0.0 | |
| netapp | oncommand_system_manager | * | |
| netapp | snap_creator_framework | - | |
| oracle | blockchain_platform | * | |
| oracle | communications_converged_application_server_-_service_controller | 6.2 | |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 | |
| oracle | communications_pricing_design_center | 12.0.0.3.0 | |
| oracle | communications_services_gatekeeper | 7.0 | |
| oracle | communications_session_route_manager | * | |
| oracle | flexcube_private_banking | 12.0.0 | |
| oracle | flexcube_private_banking | 12.1.0 | |
| oracle | hyperion_infrastructure_technology | 11.1.2.6.0 | |
| oracle | rest_data_services | * | |
| oracle | retail_eftlink | 20.0.0 | |
| oracle | siebel_core_-_automation | * | |
| apache | kafka | 2.7.0 | |
| apache | spark | 2.4.8 | |
| apache | spark | 3.0.3 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A7A01A-43C6-46A9-A130-63426D936FE7",
"versionEndExcluding": "9.4.35",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:alpha0:*:*:*:*:*:*",
"matchCriteriaId": "1990759E-0F78-46B3-AFBE-0DA9257A7859",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "E64388F4-6B8A-4E75-BE0A-6016C6FBD5DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:beta0:*:*:*:*:*:*",
"matchCriteriaId": "D150F823-216A-40FB-B995-FD6FFB41891A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B9774976-A762-4E10-B1C0-8FD8185DF334",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "334FAEF6-CEC6-445F-B52D-7FF38CDB9F79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:11.0.0:alpha0:*:*:*:*:*:*",
"matchCriteriaId": "68AA0626-071A-48CE-82B5-80465F21C29F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:11.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "A4ED8DCB-A1DA-44D1-B906-137E00EC51C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5DF6B532-FC1B-429A-B06F-0361ED12CB2E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9273745-6408-4CD3-94E8-9385D4F5FE69",
"versionEndIncluding": "3.1.3",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4754FB-E3EB-454A-AB1A-AE3835C5350C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7",
"versionEndExcluding": "21.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0535B116-57D6-4448-86A2-09BCE50894B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49ACFC73-A509-4D1C-8FC3-F68F495AB055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7B49D71-6A31-497A-B6A9-06E84F086E7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "062E4E7C-55BB-46F3-8B61-5A663B565891",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1FDBAD8E-C926-4D6F-9FD2-B0428980D6DF",
"versionEndIncluding": "8.2.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37A1E0FB-F706-4FB7-86E1-18268A744A80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*",
"matchCriteriaId": "D0AFFDC9-8EBA-45A2-AD53-18E663AF4631",
"versionEndExcluding": "20.4.3.050.1904",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_eftlink:20.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E834CC29-EFFC-4B09-89FD-761E3744F23C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB179FD5-5BA4-43BD-BDAE-F30E2A1E8781",
"versionEndIncluding": "21.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:kafka:2.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E11C498-F3AF-4324-A427-735FB3DD46D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "63630C2A-F68C-491B-A5A5-FC15D44927CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0975A782-8D53-4C16-9271-D6C3ACEBF5C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request."
},
{
"lang": "es",
"value": "En Eclipse Jetty versi\u00f3n 9.4.0.RC0 hasta 9.4.34.v20201102, 10.0.0.alpha0 hasta 10.0.0.beta2 y 11.0.0.alpha0 hasta 11.0.0.beta2, si la inflaci\u00f3n del cuerpo de la petici\u00f3n GZIP est\u00e1 habilitada y solicita de diferentes clientes se multiplexan en una sola conexi\u00f3n, y si un atacante puede enviar una petici\u00f3n con un cuerpo que es recibido por completo pero no consumido por la aplicaci\u00f3n, entonces una petici\u00f3n posterior en la misma conexi\u00f3n ver\u00e1 ese cuerpo antepuesto a su cuerpo. El atacante no ver\u00e1 ning\u00fan dato, pero puede inyectar datos en el cuerpo de la petici\u00f3n posterior"
}
],
"id": "CVE-2020-27218",
"lastModified": "2024-11-21T05:20:52.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-28T01:15:11.587",
"references": [
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892"
},
{
"source": "emo@eclipse.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
},
{
"source": "emo@eclipse.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201218-0003/"
},
{
"source": "emo@eclipse.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "emo@eclipse.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "emo@eclipse.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "emo@eclipse.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201218-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "emo@eclipse.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-226"
}
],
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-10 09:15
Modified
2024-11-21 06:16
Severity ?
Summary
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd | Mailing List, Vendor Advisory | |
| security@apache.org | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | spark | * | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "064126C5-A909-4417-A1C6-A9D50375F926",
"versionEndExcluding": "3.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "55F091C7-0869-4FD6-AC73-DA697D990304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D134C60-F9E2-46C2-8466-DB90AD98439E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
},
{
"lang": "es",
"value": "Apache Spark soporta el cifrado de extremo a extremo de las conexiones RPC por medio de \"spark.authenticate\" y \"spark.network.crypto.enabled\". En versiones 3.1.2 y anteriores, usa un protocolo de autenticaci\u00f3n mutua a medida que permite la recuperaci\u00f3n total de la clave de cifrado. Despu\u00e9s de un ataque interactivo inicial, esto permitir\u00eda a alguien descifrar el tr\u00e1fico de texto plano fuera de l\u00ednea. Tenga en cuenta que esto no afecta a los mecanismos de seguridad controlados por \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Actualice a Apache Spark versi\u00f3n 3.1.3 o posterior"
}
],
"id": "CVE-2021-38296",
"lastModified": "2024-11-21T06:16:44.463",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-10T09:15:07.000",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-12 13:29
Modified
2024-11-21 03:32
Severity ?
Summary
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46377024-4D7A-47C4-82EE-C8B693480432",
"versionEndIncluding": "2.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user\u0027s trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs."
},
{
"lang": "es",
"value": "En Spark anterior a versi\u00f3n 2.2.0 de Apache, es posible que un atacante tome ventaja de la confianza de un usuario en el servidor para enga\u00f1arlo y que visite un enlace que apunte a un cl\u00faster Spark compartido y env\u00ede datos incluyendo MHTML al master Spark , o un historial del servidor. Esta informaci\u00f3n, que podr\u00eda contener un script, se reflejar\u00eda de vuelta hacia al usuario y podr\u00eda ser evaluada y ejecutada por los clientes basados en MS Windows. No es un ataque sobre el Spark en s\u00ed, sino sobre el usuario, quien puede ejecutar el script inadvertidamente cuando visualiza elementos de las interfaces de usuario web de Spark."
}
],
"id": "CVE-2017-7678",
"lastModified": "2024-11-21T03:32:26.723",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-12T13:29:00.267",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99603"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-12 13:29
Modified
2024-11-21 03:59
Severity ?
Summary
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF96ABAC-B3E9-40C1-8CD2-4F1907C76317",
"versionEndIncluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5B95AEE-9895-43B4-A7B3-82F32E3DF309",
"versionEndIncluding": "2.2.1",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69EA4E44-C122-47DC-8083-FD55B064363A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it\u0027s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application."
},
{
"lang": "es",
"value": "En Apache Spark 1.0.0 a 2.1.2, 2.2.0 a 2.2.1 y 2.3.0, al emplear PySpark o SparkR, es posible que un usuario local diferente se conecte a la aplicaci\u00f3n Spark y suplante al usuario que ejecuta la aplicaci\u00f3n Spark."
}
],
"id": "CVE-2018-1334",
"lastModified": "2024-11-21T03:59:38.733",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-12T13:29:00.227",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-1334"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-1334"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-26 22:15
Modified
2024-11-21 05:20
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eclipse | jetty | * | |
| eclipse | jetty | 9.4.6 | |
| eclipse | jetty | 9.4.6 | |
| eclipse | jetty | 9.4.36 | |
| eclipse | jetty | 9.4.36 | |
| eclipse | jetty | 10.0.0 | |
| eclipse | jetty | 11.0.0 | |
| apache | nifi | 1.13.0 | |
| apache | spark | 3.1.1 | |
| netapp | e-series_santricity_os_controller | * | |
| netapp | e-series_santricity_web_services | - | |
| netapp | element_plug-in_for_vcenter_server | - | |
| netapp | hci | - | |
| netapp | hci_management_node | - | |
| netapp | management_services_for_element_software | - | |
| netapp | snap_creator_framework | - | |
| netapp | snapcenter | - | |
| netapp | snapmanager | - | |
| netapp | snapmanager | - | |
| netapp | solidfire | - | |
| debian | debian_linux | 10.0 | |
| apache | solr | 8.8.1 | |
| oracle | rest_data_services | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F30DCAA9-4998-4E2F-9341-8E0F1752CB92",
"versionEndExcluding": "9.4.36",
"versionStartIncluding": "9.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*",
"matchCriteriaId": "16872138-6AF5-418F-998F-1220DA602AE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*",
"matchCriteriaId": "3211336E-0EE6-4676-AEFA-A778176C0ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:9.4.36:-:*:*:*:*:*:*",
"matchCriteriaId": "23BC90F3-4107-46B6-8135-42374512EDDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:9.4.36:20210114:*:*:*:*:*:*",
"matchCriteriaId": "F8B77C51-6991-4C6B-9112-AC87B0E9D530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "5737CF3E-AA46-45DD-801A-E22ACCDB00CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "52F4E0D3-9709-4073-9DE0-F36CDD3DB62F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:nifi:1.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "12AA1D39-F2E2-48E7-9D9F-49F5E52F29B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:3.1.1:-:*:*:*:*:*:*",
"matchCriteriaId": "16A8F28D-5F62-4F99-9292-20E039E0756B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF971916-C526-43A9-BD80-985BCC476569",
"versionEndIncluding": "11.70.1",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*",
"matchCriteriaId": "1AEFF829-A8F2-4041-8DDF-E705DB3ADED2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "214712B6-59AF-4B5E-84BF-AF3C74A390EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8A6E548F-62E9-40CB-85DA-FDAA0F0096C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*",
"matchCriteriaId": "86B51137-28D9-41F2-AFA2-3CC22B4954D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4754FB-E3EB-454A-AB1A-AE3835C5350C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*",
"matchCriteriaId": "26A2B713-7D6D-420A-93A4-E0D983C983DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*",
"matchCriteriaId": "64DE38C8-94F1-4860-B045-F33928F676A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:solr:8.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42672AEA-5920-4951-ADCF-5D5AA4AB4A77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*",
"matchCriteriaId": "D0AFFDC9-8EBA-45A2-AD53-18E663AF4631",
"versionEndExcluding": "20.4.3.050.1904",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of \u201cquality\u201d (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values."
},
{
"lang": "es",
"value": "En Eclipse Jetty versiones 9.4.6.v20170531 hasta 9.4.36.v20210114 (inclusive), versiones 10.0.0 y 11.0.0, cuando Jetty maneja una petici\u00f3n que contiene m\u00faltiples encabezados Accept con una gran cantidad de par\u00e1metros \u201cquality\u201d (es decir, q), el servidor puede entrar en un estado de denegaci\u00f3n de servicio (DoS) debido al alto uso de CPU procesando esos valores de calidad, resultando en minutos de tiempo de CPU agotados procesando esos valores de calidad"
}
],
"id": "CVE-2020-27223",
"lastModified": "2024-11-21T05:20:53.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-26T22:15:19.317",
"references": [
{
"source": "emo@eclipse.org",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128"
},
{
"source": "emo@eclipse.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc%40%3Cgitbox.activemq.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f%40%3Cissues.nifi.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb%40%3Cissues.nifi.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7%40%3Cissues.nifi.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea%40%3Cuser.karaf.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r65c714241b9d064a44fec10d60ebf5a37d5ebadd6bf88b0eed13ade0%40%3Cissues.solr.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243%40%3Cdev.lucene.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211%40%3Cissues.solr.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a%40%3Cissues.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080%40%3Cdev.lucene.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2%40%3Creviews.spark.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f%40%3Cissues.solr.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "emo@eclipse.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210401-0005/"
},
{
"source": "emo@eclipse.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"source": "emo@eclipse.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc%40%3Cgitbox.activemq.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f%40%3Cissues.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb%40%3Cissues.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7%40%3Cissues.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea%40%3Cuser.karaf.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r65c714241b9d064a44fec10d60ebf5a37d5ebadd6bf88b0eed13ade0%40%3Cissues.solr.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243%40%3Cdev.lucene.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211%40%3Cissues.solr.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff%40%3Cissues.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43%40%3Ccommits.druid.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed%40%3Cjira.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614%40%3Cdev.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080%40%3Cdev.lucene.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2%40%3Creviews.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f%40%3Cissues.solr.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c%40%3Ccommits.kafka.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210401-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"sourceIdentifier": "emo@eclipse.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-407"
}
],
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-07 17:15
Modified
2024-11-21 04:18
Severity ?
Summary
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "348D0E20-6B63-4516-B1A8-46FEE778E07E",
"versionEndIncluding": "1.6.3",
"versionStartIncluding": "1.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFB8C81A-DF11-4616-83C3-67B49BFD5C86",
"versionEndIncluding": "2.0.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF05757C-1031-4F5E-A70E-EDF8ECEBCB86",
"versionEndIncluding": "2.1.3",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D25D5D98-C601-4976-93BC-DEC6CD067CDC",
"versionEndIncluding": "2.2.2",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "674CFE0D-8FEE-4757-A007-1BEEABB517C7",
"versionEndExcluding": "2.3.2",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs."
},
{
"lang": "es",
"value": "Spark anterior a versi\u00f3n 2.3.3, en ciertas situaciones, Spark escribir\u00eda los datos de usuario en el disco local sin cifrar, incluso si spark.io.encryption.enabled=true. Esto incluye los bloques almacenados en cach\u00e9 que son tra\u00eddos al disco (controlados por spark.maxRemoteBlockSizeFetchToMem); en SparkR, usando parallelize; en Pyspark, usando broadcast y parallelize; y el uso de udfs de python."
}
],
"id": "CVE-2019-10099",
"lastModified": "2024-11-21T04:18:24.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-07T17:15:12.073",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2%40%3Cissues.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae%40%3Ccommits.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2%40%3Cissues.spark.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-23 22:15
Modified
2024-11-21 05:40
Severity ?
Summary
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | spark | * | |
| oracle | business_intelligence | 5.5.0.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CFB1ECF-C94D-4EDD-9EBD-9B60803D4125",
"versionEndIncluding": "2.4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "D40AD626-B23A-44A3-A6C0-1FFB4D647AE4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Spark 2.4.5 and earlier, a standalone resource manager\u0027s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application\u0027s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc)."
},
{
"lang": "es",
"value": "En Apache Spark versi\u00f3n 2.4.5 y versiones anteriores, el maestro de un administrador de recursos independiente puede ser configurado para requerir autenticaci\u00f3n (spark.authenticate) por medio de un secreto compartido. Sin embargo, cuando est\u00e1 habilitado, una RPC especialmente dise\u00f1ado para el maestro puede tener \u00e9xito al iniciar los recursos de una aplicaci\u00f3n en el cl\u00faster Spark, incluso sin la clave compartida. Esto se puede aprovechar para ejecutar comandos de shell sobre la m\u00e1quina host. Esto no afecta a los cl\u00fasteres de Spark que usan otros administradores de recursos (YARN, Mesos, etc.)"
}
],
"id": "CVE-2020-9480",
"lastModified": "2024-11-21T05:40:43.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-23T22:15:14.137",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2020-9480"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03ad9fe7c07d6039fba9f2152d345274473cb0af3d8a4794a6645f4b%40%3Cuser.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra0e62a18ad080c4ce6df5e0202a27eaada75222761efc3f7238b5a3b%40%3Ccommits.doris.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb3956440747e41940d552d377d50b144b60085e7ff727adb0e575d8d%40%3Ccommits.submarine.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ree9e87aae81852330290a478692e36ea6db47a52a694545c7d66e3e2%40%3Cdev.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2020-9480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-02 09:15
Modified
2024-11-21 08:02
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC23EB9-9F4E-40BF-B048-51D8DE194C6A",
"versionEndIncluding": "3.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4429EBEB-B1D9-4A70-9B7F-7B27B8506700",
"versionEndIncluding": "3.1.3",
"versionStartIncluding": "3.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48E12AD0-1B58-4786-B28C-C661B3932736",
"versionEndIncluding": "3.2.1",
"versionStartIncluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n\nUsers are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.\n\n\n"
}
],
"id": "CVE-2023-32007",
"lastModified": "2024-11-21T08:02:30.967",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-02T09:15:10.207",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/02/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33891"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-01 16:15
Modified
2024-11-21 07:05
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/11/01/14 | Mailing List | |
| security@apache.org | https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/11/01/14 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9E7146B-73E4-4CB5-89EC-4DDC270B2786",
"versionEndExcluding": "3.2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:spark:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2797321B-479D-45EF-A50F-0EC8C5500761",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Apache Spark 3.2.1 y anteriores, y 3.3.0, permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador web de un usuario, al incluir un payload malicioso en los registros que ser\u00edan devuelto en registros representados en la interfaz de usuario."
}
],
"id": "CVE-2022-31777",
"lastModified": "2024-11-21T07:05:17.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-01T16:15:13.367",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-08-13 16:29
Modified
2024-11-21 03:43
Severity ?
Summary
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/105097 | Broken Link, Third Party Advisory, VDB Entry | |
| security@apache.org | https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E | Mailing List, Third Party Advisory | |
| security@apache.org | https://spark.apache.org/security.html#CVE-2018-11770 | Exploit, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105097 | Broken Link, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://spark.apache.org/security.html#CVE-2018-11770 | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4D04790B-958F-4EB3-A394-E2CDD09CB458",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "From version 1.3.0 onward, Apache Spark\u0027s standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property \u0027spark.authenticate.secret\u0027 establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting \u0027spark.authenticate.secret\u0027 when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of \u0027spark.master.rest.enabled\u0027 to \u0027false\u0027."
},
{
"lang": "es",
"value": "A partir de la versi\u00f3n 1.3.0, el maestro standalone de Apache Spark expone una API REST para el env\u00edo de trabajos, adem\u00e1s del mecanismo de env\u00edo utilizado por spark-submit. En modo standalone, la propiedad config \u0027spark.authenticate.secret\u0027 establece un secreto compartido para autenticar las solicitudes de env\u00edo de trabajos a trav\u00e9s de spark-submit. Sin embargo, la API REST no utiliza ni este ni ning\u00fan otro mecanismo de autenticaci\u00f3n, y esto no est\u00e1 adecuadamente documentado. En este caso, un usuario podr\u00eda ejecutar un programa de controlador sin autenticar, pero no lanzar ejecutores utilizando la API REST. Esta API REST tambi\u00e9n es utilizada por Mesos, cuando est\u00e1 configurada para ejecutarse en modo cluster (es decir, cuando tambi\u00e9n se ejecuta MesosClusterDispatcher), para el env\u00edo de trabajos. Las versiones futuras de Spark mejorar\u00e1n la documentaci\u00f3n sobre estos puntos y prohibir\u00e1n establecer \"spark.authenticate.secret\" cuando se ejecuten las API REST para dejar esto claro. Las versiones futuras tambi\u00e9n desactivar\u00e1n la API REST de forma predeterminada en el maestro standalone cambiando el valor predeterminado de \"spark.master.rest.enabled\" a \"false\"."
}
],
"id": "CVE-2018-11770",
"lastModified": "2024-11-21T03:43:59.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-13T16:29:00.650",
"references": [
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105097"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105097"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://spark.apache.org/security.html#CVE-2018-11770"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}