VDB
CNVD-2026-14252
CNVD-2026-14252
PUBLISHED
CVSS 8.800000190734863 HIGH
Apache Spark是美国阿帕奇(Apache)基金会的一款支持非循环数据流和内存计算的大规模数据处理引擎。 Apache Spark存在反序列化漏洞。该漏洞源于Spark History Web UI对事件日志数据的Jackson反序列化过于宽松,攻击者可利用该漏洞通过注入恶意JSON有效载荷在主机上执行任意代码。
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Spark | 0, 4.0.0 |
Exploit Intelligence
- http://www.openwall.com/lists/oss-security/2026/03/13/4 (circl)
- https://github.com/apache/spark/pull/51312 (circl)
- https://github.com/apache/spark/pull/51323 (circl)
- https://issues.apache.org/jira/browse/SPARK-52381 (circl)
- https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s (circl)
- CIRCL seen: CVE-2025-54920 (circl-sighting)
Timeline
- Mar 16, 2026 CVE Published
- Mar 30, 2026 PoC Published