CVE-2019-10099
HIGHApache Spark < 1.6.3 and 2.0.0-2.3.2 - Cleartext Storage of Sensitive Information
Title source: llmDescription
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
References (3)
Core 3
Core References
Mailing List x_refsource_misc
https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2%40%3Cissues.spark.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae%40%3Ccommits.spark.apache.org%3E
Scores
CVSS v3
7.5
EPSS
0.0029
EPSS Percentile
51.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-312
Status
published
Products (3)
apache/spark
1.0.2 - 1.6.3
org.apache.spark/spark-core_2.11
0 - 2.3.3Maven
pypi/pyspark
0 - 2.3.3PyPI
Published
Aug 07, 2019
Tracked Since
Feb 18, 2026