QwikSec

Security Database

CVE

CWE

Training

CVE-2019-10099

Published: Aug 7, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Vendor	Product	Versions
Apache	Apache Spark	affected `2.3.2 and below`

References

https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e%40%3Cuser.spark.apache.org%3E

x_refsource_MISC

[spark-issues] 20200318 [jira] [Commented] (SPARK-28626) Spark leaves unencrypted data on local disk, even with encryption turned on (CVE-2019-10099)

mailing-list

x_refsource_MLIST

[spark-commits] 20200622 [spark-website] branch asf-site updated: CVE-2020-9480 details (#275)

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.