Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
Permalink: https://github.com/advisories/GHSA-6mqq-8r44-vmjcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtcXEtOHI0NC12bWpj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 month ago
CVSS Score: 4.7
CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Percentage: 0.00042
EPSS Percentile: 0.05089
Identifiers: GHSA-6mqq-8r44-vmjc, CVE-2018-1334
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1334
- https://github.com/advisories/GHSA-6mqq-8r44-vmjc
- https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E
- https://spark.apache.org/security.html#CVE-2018-1334
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2018-25.yaml
Affected Packages
pypi:pyspark
Dependent packages: 588Dependent repositories: 6,227
Downloads: 30,602,978 last month
Affected Version Ranges: >= 0, < 2.1.3, >= 2.2.0, < 2.2.2
Fixed in: 2.1.3, 2.2.2
All affected versions: 2.1.1, 2.1.2, 2.2.0, 2.2.1
All unaffected versions: 2.1.3, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3
maven:org.apache.spark:spark-core_2.11
Dependent packages: 1,401Dependent repositories: 8,772
Downloads:
Affected Version Ranges: = 2.3.0, >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.3.1, 2.2.2, 2.1.3
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.1.3, 2.2.2, 2.2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
maven:org.apache.spark:spark-core_2.10
Dependent packages: 619Dependent repositories: 8,896
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.2.2, >= 1.0.0, < 2.1.3
Fixed in: 2.2.2, 2.1.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1
All unaffected versions: 0.9.1, 0.9.2, 2.1.3, 2.2.2, 2.2.3