CVE-2019-10099

CWE-312 — Cleartext Storage of Sensitive Info6 documents5 sources

Severity

7.5HIGH

EPSS

0.5%

top 32.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Spark Apache Apache Spark

Timeline

PublishedAug 7

Latest updateAug 8

Description

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶PyPIpyspark< 2.3.3

▶NVDapache/spark2.3.0 — 2.3.2+4

▶Mavenorg.apache.spark:spark-core_2.11< 2.3.3

▶CVEListV5apache/apache_spark2.3.2 and below

🔴Vulnerability Details

OSV

Sensitive data written to disk unencrypted in Spark↗2019-08-08

▶

GHSA

Sensitive data written to disk unencrypted in Spark↗2019-08-08

▶

OSV

CVE-2019-10099: Prior to Spark 2↗2019-08-07

▶

CVEList

CVE-2019-10099: Prior to Spark 2↗2019-08-07

▶

📋Vendor Advisories

Apache

Apache spark: CVE-2019-10099↗

▶