Product Research Enterprise Plans Docs

PyPi: Spark-On-K8s

CVE-2024-28746

Transitive

Safety vulnerability ID: 66923

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 14, 2024 Updated at Feb 17, 2025

Scan your Python projects for vulnerabilities →

Advisory

Spark-on-k8s version 0.4.0 updates its dependency on Airflow to version 2.8.3 as a proactive measure to address the security issue identified in CVE-2024-28746.
https://github.com/hussein-awala/spark-on-k8s/pull/23/commits/6d2675636f768bdeec21bcabc402a9ffd13ea75a

Affected package

spark-on-k8s

Latest version: 0.12.0

A Python package to submit and manage Apache Spark applications on Kubernetes.

Affected versions

Fixed versions

Vulnerability changelog

What's Changed
This release introduces new features for the API and webserver, including the ability to kill and delete Spark jobs and read driver pod logs directly from the webserver, and some improvements for the helm chart access service account permissions.

* feat(webserver): implement a UI to stream driver pod logs by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/14
* chore: separate html templates and css styles by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/15
* chore: separate sync and async app manager in two modules by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/17
* feat: api routes to kill and delete spark app by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/16
* fix: use websocket client in async kill_app to run pod exec by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/18
* fix: remove duplicated app from app endpoints paths by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/19
* feat: add kill and delete features to the webserver by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/20
* fix: close the ws client properly by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/21
* security: bump airflow version to 2.8.3 to avoid CVE-2024-28746 by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/23
* feat(helm): support specific namespaces and swtiching between read and edit permissions by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/24
* fix(webserver): fix the static folder path by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/25
* fix(api): add missing websockets packages to api extra by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/26
* chore(webserver): add a page to redirect to when there is a K8S error by hussein-awala in https://github.com/hussein-awala/spark-on-k8s/pull/27

**Full Changelog**: https://github.com/hussein-awala/spark-on-k8s/compare/0.3.0...0.4.0

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28746

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.1

CVSS v3 Details

HIGH 8.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): NONE