Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
Permalink: https://github.com/advisories/GHSA-6mqq-8r44-vmjcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 5 years ago
Updated: about 1 year ago
CVSS Score: 4.7
CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-6mqq-8r44-vmjc, CVE-2018-1334
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1334
- https://github.com/advisories/GHSA-6mqq-8r44-vmjc
- https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E
- https://spark.apache.org/security.html#CVE-2018-1334
Affected Packages
maven:org.apache.spark:spark-core_2.11
Dependent packages: 1,401Dependent repositories: 8,772
Downloads:
Affected Version Ranges: = 2.3.0, >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.3.1, 2.2.2, 2.1.3
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.1.3, 2.2.2, 2.2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
maven:org.apache.spark:spark-core_2.10
Dependent packages: 619Dependent repositories: 8,896
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.2.2, 2.1.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1
All unaffected versions: 0.9.1, 0.9.2, 2.1.3, 2.2.2, 2.2.3