CVE-2019-10099

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Spark
Vendor: CVE Published:; 7 August 2019

Summary

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Affected Version(s)

Apache Spark 2.3.2 and below

References

https://lists.apache.org/thread.html/c2a39c207421797f8282...

x_refsource_MISC

https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 7, 2019
Vulnerability Reserved
Mar 26, 2019

.