Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Permalink: https://github.com/advisories/GHSA-6mqq-8r44-vmjc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 month ago


CVSS Score: 4.7
CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00042
EPSS Percentile: 0.05089

Identifiers: GHSA-6mqq-8r44-vmjc, CVE-2018-1334
References: Blast Radius: 36.4

Affected Packages

pypi:pyspark
Dependent packages: 588
Dependent repositories: 6,227
Downloads: 30,602,978 last month
Affected Version Ranges: >= 0, < 2.1.3, >= 2.2.0, < 2.2.2
Fixed in: 2.1.3, 2.2.2
All affected versions: 2.1.1, 2.1.2, 2.2.0, 2.2.1
All unaffected versions: 2.1.3, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3
maven:org.apache.spark:spark-core_2.11
Dependent packages: 1,401
Dependent repositories: 8,772
Downloads:
Affected Version Ranges: = 2.3.0, >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.3.1, 2.2.2, 2.1.3
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.1.3, 2.2.2, 2.2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
maven:org.apache.spark:spark-core_2.10
Dependent packages: 619
Dependent repositories: 8,896
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.2.2, 2.1.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1
All unaffected versions: 0.9.1, 0.9.2, 2.1.3, 2.2.2, 2.2.3