Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Permalink: https://github.com/advisories/GHSA-6mqq-8r44-vmjc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 5 years ago
Updated: about 1 year ago


CVSS Score: 4.7
CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-6mqq-8r44-vmjc, CVE-2018-1334
References:

Affected Packages

maven:org.apache.spark:spark-core_2.11
Dependent packages: 1,401
Dependent repositories: 8,772
Downloads:
Affected Version Ranges: = 2.3.0, >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.3.1, 2.2.2, 2.1.3
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.1.3, 2.2.2, 2.2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
maven:org.apache.spark:spark-core_2.10
Dependent packages: 619
Dependent repositories: 8,896
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.2.2, 2.1.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1
All unaffected versions: 0.9.1, 0.9.2, 2.1.3, 2.2.2, 2.2.3