CVE-2018-11760
MEDIUM5.5EPSS 0.16%Pyspark User Impersonation Vulnerability
Published: 2/7/2019Modified: 12/4/2024
Description
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
Affected packages (2)
- PyPI/pyspark>= 2.3.0, < 2.3.2
- PyPI/pyspark>= 2.3.0, < 2.3.2, >= 1.0.2, < 2.2.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
References (9)
- ADVISORYhttps://github.com/advisories/GHSA-fvxv-9xxr-h7wj
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-11760
- WEBhttps://github.com/apache/spark
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-169.yaml
- WEBhttps://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E
- WEBhttps://web.archive.org/web/20200227091119/http://www.securityfocus.com/bid/106786
- WEBhttps://web.archive.org/web/20200925111106/https://issues.apache.org/jira/browse/SPARK-26802
- WEBhttp://www.securityfocus.com/bid/106786