GHSA-fp5j-3fpf-mhj5

Source

https://github.com/advisories/GHSA-fp5j-3fpf-mhj5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-fp5j-3fpf-mhj5/GHSA-fp5j-3fpf-mhj5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fp5j-3fpf-mhj5

Aliases

Published

2019-08-08T15:18:22Z

Modified

2024-10-24T22:35:50.837996Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Sensitive data written to disk unencrypted in Spark

Details

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Database specific

{
    "nvd_published_at": "2019-08-07T17:15:00Z",
    "cwe_ids": [
        "CWE-312"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-08-08T15:16:27Z"
}

References

Affected packages

Maven / org.apache.spark:spark-core_2.11

Package

Name: org.apache.spark:spark-core_2.11; View open source insights on deps.dev
Purl: pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.3

Affected versions

1.*

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

2.*

2.0.0

2.0.0-preview

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.3.1

2.3.2

PyPI / pyspark