cvelistv5 - cve-2021-38296

CVE-2021-38296 (GCVE-0-2021-38296)

Vulnerability from cvelistv5 – Published: 2022-03-10 08:20 – Updated: 2024-08-04 01:37

Summary

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

Severity ?

No CVSS data available.

CWE

CWE-294 - Authentication Bypass by Capture-replay

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/70x8fw2gx3g9ty7yk…	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Spark	Affected: up to and including version 3.1.2 , ≤ 3.1.2 (custom)

Credits

Steve Weis (Databricks)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:37:16.315Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Spark",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.1.2",
              "status": "affected",
              "version": "up to and including version 3.1.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Steve Weis (Databricks)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-294",
              "description": "CWE-294 Authentication Bypass by Capture-replay",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:31:48",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Spark Key Negotiation Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-38296",
          "STATE": "PUBLIC",
          "TITLE": "Apache Spark Key Negotiation Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Spark",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "up to and including version 3.1.2",
                            "version_value": "3.1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Steve Weis (Databricks)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-294 Authentication Bypass by Capture-replay"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-38296",
    "datePublished": "2022-03-10T08:20:12",
    "dateReserved": "2021-08-09T00:00:00",
    "dateUpdated": "2024-08-04T01:37:16.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.1.3\", \"matchCriteriaId\": \"064126C5-A909-4417-A1C6-A9D50375F926\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"55F091C7-0869-4FD6-AC73-DA697D990304\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D134C60-F9E2-46C2-8466-DB90AD98439E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Spark supports end-to-end encryption of RPC connections via \\\"spark.authenticate\\\" and \\\"spark.network.crypto.enabled\\\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \\\"spark.authenticate.enableSaslEncryption\\\", \\\"spark.io.encryption.enabled\\\", \\\"spark.ssl\\\", \\\"spark.ui.strictTransportSecurity\\\". Update to Apache Spark 3.1.3 or later\"}, {\"lang\": \"es\", \"value\": \"Apache Spark soporta el cifrado de extremo a extremo de las conexiones RPC por medio de \\\"spark.authenticate\\\" y \\\"spark.network.crypto.enabled\\\". En versiones 3.1.2 y anteriores, usa un protocolo de autenticaci\\u00f3n mutua a medida que permite la recuperaci\\u00f3n total de la clave de cifrado. Despu\\u00e9s de un ataque interactivo inicial, esto permitir\\u00eda a alguien descifrar el tr\\u00e1fico de texto plano fuera de l\\u00ednea. Tenga en cuenta que esto no afecta a los mecanismos de seguridad controlados por \\\"spark.authenticate.enableSaslEncryption\\\", \\\"spark.io.encryption.enabled\\\", \\\"spark.ssl\\\", \\\"spark.ui.strictTransportSecurity\\\". Actualice a Apache Spark versi\\u00f3n 3.1.3 o posterior\"}]",
      "id": "CVE-2021-38296",
      "lastModified": "2024-11-21T06:16:44.463",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-10T09:15:07.000",
      "references": "[{\"url\": \"https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-294\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-294\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-38296\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-03-10T09:15:07.000\",\"lastModified\":\"2024-11-21T06:16:44.463\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Spark supports end-to-end encryption of RPC connections via \\\"spark.authenticate\\\" and \\\"spark.network.crypto.enabled\\\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \\\"spark.authenticate.enableSaslEncryption\\\", \\\"spark.io.encryption.enabled\\\", \\\"spark.ssl\\\", \\\"spark.ui.strictTransportSecurity\\\". Update to Apache Spark 3.1.3 or later\"},{\"lang\":\"es\",\"value\":\"Apache Spark soporta el cifrado de extremo a extremo de las conexiones RPC por medio de \\\"spark.authenticate\\\" y \\\"spark.network.crypto.enabled\\\". En versiones 3.1.2 y anteriores, usa un protocolo de autenticaci\u00f3n mutua a medida que permite la recuperaci\u00f3n total de la clave de cifrado. Despu\u00e9s de un ataque interactivo inicial, esto permitir\u00eda a alguien descifrar el tr\u00e1fico de texto plano fuera de l\u00ednea. Tenga en cuenta que esto no afecta a los mecanismos de seguridad controlados por \\\"spark.authenticate.enableSaslEncryption\\\", \\\"spark.io.encryption.enabled\\\", \\\"spark.ssl\\\", \\\"spark.ui.strictTransportSecurity\\\". Actualice a Apache Spark versi\u00f3n 3.1.3 o posterior\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.1.3\",\"matchCriteriaId\":\"064126C5-A909-4417-A1C6-A9D50375F926\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55F091C7-0869-4FD6-AC73-DA697D990304\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D134C60-F9E2-46C2-8466-DB90AD98439E\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

PYSEC-2022-186

Vulnerability from pysec - Published: 2022-03-10 09:15 - Updated: 2022-05-17 21:40

Details

Impacted products

Name	purl
pyspark	pkg:pypi/pyspark

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspark",
        "purl": "pkg:pypi/pyspark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.2.0",
        "2.2.1",
        "2.2.2",
        "2.2.3",
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.3.4",
        "2.4.0",
        "2.4.1",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.4.5",
        "2.4.6",
        "2.4.7",
        "2.4.8",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.1.1",
        "3.1.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-38296",
    "GHSA-9rr6-jpg7-9jg6"
  ],
  "details": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later",
  "id": "PYSEC-2022-186",
  "modified": "2022-05-17T21:40:53.336457Z",
  "published": "2022-03-10T09:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9rr6-jpg7-9jg6"
    }
  ]
}

FKIE_CVE-2021-38296

Vulnerability from fkie_nvd - Published: 2022-03-10 09:15 - Updated: 2024-11-21 06:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd	Mailing List, Vendor Advisory
security@apache.org	https://www.oracle.com/security-alerts/cpujul2022.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujul2022.html	Patch, Third Party Advisory

Impacted products

Vendor	Product	Version
apache	spark	*
oracle	financial_services_crime_and_compliance_management_studio	8.0.8.2.0
oracle	financial_services_crime_and_compliance_management_studio	8.0.8.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "064126C5-A909-4417-A1C6-A9D50375F926",
              "versionEndExcluding": "3.1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "55F091C7-0869-4FD6-AC73-DA697D990304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D134C60-F9E2-46C2-8466-DB90AD98439E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
    },
    {
      "lang": "es",
      "value": "Apache Spark soporta el cifrado de extremo a extremo de las conexiones RPC por medio de \"spark.authenticate\" y \"spark.network.crypto.enabled\". En versiones 3.1.2 y anteriores, usa un protocolo de autenticaci\u00f3n mutua a medida que permite la recuperaci\u00f3n total de la clave de cifrado. Despu\u00e9s de un ataque interactivo inicial, esto permitir\u00eda a alguien descifrar el tr\u00e1fico de texto plano fuera de l\u00ednea. Tenga en cuenta que esto no afecta a los mecanismos de seguridad controlados por \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Actualice a Apache Spark versi\u00f3n 3.1.3 o posterior"
    }
  ],
  "id": "CVE-2021-38296",
  "lastModified": "2024-11-21T06:16:44.463",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-10T09:15:07.000",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-294"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-294"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-9RR6-JPG7-9JG6

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2024-10-25 20:49

Summary

Authentication Bypass by Capture-replay in Apache Spark

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-38296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-11T20:30:09Z",
    "nvd_published_at": "2022-03-10T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later",
  "id": "GHSA-9rr6-jpg7-9jg6",
  "modified": "2024-10-25T20:49:39Z",
  "published": "2022-03-11T00:02:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38296"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9rr6-jpg7-9jg6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-186.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Authentication Bypass by Capture-replay in Apache Spark"
}

GSD-2021-38296

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-38296

Aliases

CVE-2021-38296

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-38296",
    "description": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later",
    "id": "GSD-2021-38296"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-38296"
      ],
      "details": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later",
      "id": "GSD-2021-38296",
      "modified": "2023-12-13T01:23:17.706863Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-38296",
        "STATE": "PUBLIC",
        "TITLE": "Apache Spark Key Negotiation Vulnerability"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Spark",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "up to and including version 3.1.2",
                          "version_value": "3.1.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Steve Weis (Databricks)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "moderate"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-294 Authentication Bypass by Capture-replay"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,3.1.3)",
          "affected_versions": "All versions before 3.1.3",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-294",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later",
          "fixed_versions": [
            "3.1.3"
          ],
          "identifier": "CVE-2021-38296",
          "identifiers": [
            "CVE-2021-38296",
            "GHSA-9rr6-jpg7-9jg6"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.spark/spark-core",
          "pubdate": "2022-03-10",
          "solution": "Upgrade to version 3.1.3 or above.",
          "title": "Authentication Bypass by Capture-replay",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-38296",
            "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd",
            "https://github.com/advisories/GHSA-9rr6-jpg7-9jg6"
          ],
          "uuid": "9f156719-a388-4961-be5a-ea48f5da78c1"
        },
        {
          "affected_range": "\u003c3.1.3",
          "affected_versions": "All versions before 3.1.3",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-294",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "Apache Spark supports end-to-end encryption of RPC connections via `spark.authenticate` and `spark.network.crypto.enabled`. In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by `spark.authenticate.enableSaslEncryption`, `spark.io.encryption.enabled`, `spark.ssl`, `spark.ui.strictTransportSecurity`. Update to Apache Spark 3.1.3 or later",
          "fixed_versions": [
            "3.1.3"
          ],
          "identifier": "CVE-2021-38296",
          "identifiers": [
            "CVE-2021-38296"
          ],
          "not_impacted": "All versions starting from 3.1.3",
          "package_slug": "pypi/pyspark",
          "pubdate": "2022-03-10",
          "solution": "Upgrade to version 3.1.3 or above.",
          "title": "Authentication Bypass by Capture-replay",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-38296",
            "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
          ],
          "uuid": "bdc88cae-5e18-44e8-b69f-c2465c67de03"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.1.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-38296"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-294"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-02-09T02:02Z",
      "publishedDate": "2022-03-10T09:15Z"
    }
  }
}

CNVD-2022-21823

Vulnerability from cnvd - Published: 2022-03-23

Title

Apache Spark加密问题漏洞（CNVD-2022-21823）

Description

Apache Spark是一个多语言引擎，用于在单节点机器或集群上执行数据工程、数据科学和机器学习。 Apache Spark存在加密问题漏洞，该漏洞源于程序使用了定制的相互身份验证协议，允许完全加密密钥恢复，攻击者可利用该漏洞离线解密明文流量。

Severity

中

Patch Name

Apache Spark加密问题漏洞（CNVD-2022-21823）的补丁

Patch Description

Apache Spark是一个多语言引擎，用于在单节点机器或集群上执行数据工程、数据科学和机器学习。 Apache Spark存在加密问题漏洞，该漏洞源于程序使用了定制的相互身份验证协议，允许完全加密密钥恢复，攻击者可利用该漏洞离线解密明文流量。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-38296

Impacted products

Name
Apache Spark <=3.1.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-38296",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-38296"
    }
  },
  "description": "Apache Spark\u662f\u4e00\u4e2a\u591a\u8bed\u8a00\u5f15\u64ce\uff0c\u7528\u4e8e\u5728\u5355\u8282\u70b9\u673a\u5668\u6216\u96c6\u7fa4\u4e0a\u6267\u884c\u6570\u636e\u5de5\u7a0b\u3001\u6570\u636e\u79d1\u5b66\u548c\u673a\u5668\u5b66\u4e60\u3002\n\nApache Spark\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e86\u5b9a\u5236\u7684\u76f8\u4e92\u8eab\u4efd\u9a8c\u8bc1\u534f\u8bae\uff0c\u5141\u8bb8\u5b8c\u5168\u52a0\u5bc6\u5bc6\u94a5\u6062\u590d\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u79bb\u7ebf\u89e3\u5bc6\u660e\u6587\u6d41\u91cf\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-21823",
  "openTime": "2022-03-23",
  "patchDescription": "Apache Spark\u662f\u4e00\u4e2a\u591a\u8bed\u8a00\u5f15\u64ce\uff0c\u7528\u4e8e\u5728\u5355\u8282\u70b9\u673a\u5668\u6216\u96c6\u7fa4\u4e0a\u6267\u884c\u6570\u636e\u5de5\u7a0b\u3001\u6570\u636e\u79d1\u5b66\u548c\u673a\u5668\u5b66\u4e60\u3002\r\n\r\nApache Spark\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e86\u5b9a\u5236\u7684\u76f8\u4e92\u8eab\u4efd\u9a8c\u8bc1\u534f\u8bae\uff0c\u5141\u8bb8\u5b8c\u5168\u52a0\u5bc6\u5bc6\u94a5\u6062\u590d\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u79bb\u7ebf\u89e3\u5bc6\u660e\u6587\u6d41\u91cf\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Spark\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-21823\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Spark \u003c=3.1.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-38296",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-11",
  "title": "Apache Spark\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-21823\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-38296 (GCVE-0-2021-38296)

PYSEC-2022-186

FKIE_CVE-2021-38296

GHSA-9RR6-JPG7-9JG6

GSD-2021-38296

CNVD-2022-21823

Tags

Sightings

Nomenclature