Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark

GHSA-6mqq-8r44-vmjc · CVE-2018-1334 · PYSEC-2018-25

Published Mar 14, 2019 · Modified Oct 21, 2024

Description

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

References

4.7 / 10

MEDIUM CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected Packages

Maven/org.apache.spark:spark-core_2.10

Fix 2.1.3, 2.2.2

Introduced 1.0.0, 2.2.0

28 affected versions

1.0.01.0.11.0.21.1.01.1.11.2.01.2.11.2.21.3.01.3.11.4.01.4.11.5.01.5.11.5.21.6.01.6.11.6.21.6.32.0.0 +8 more

Maven/org.apache.spark:spark-core_2.11

Fix 2.1.3, 2.2.2, 2.3.1

Introduced 1.0.0, 2.2.0, 2.3.0

24 affected versions

1.2.01.2.11.2.21.3.01.3.11.4.01.4.11.5.01.5.11.5.21.6.01.6.11.6.21.6.32.0.02.0.0-preview2.0.12.0.22.1.02.1.1 +4 more

PyPI/pyspark

Fix 2.1.3, 2.2.2

Introduced 0, 2.2.0

4 affected versions

2.1.12.1.22.2.02.2.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes