Vulnerability Details CVE-2018-11760
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 44.2%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 2.1
References
- http://www.securityfocus.com/bid/106786
- https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E
- https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E
- http://www.securityfocus.com/bid/106786
- https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E
- https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E
Products affected by CVE-2018-11760
-
cpe:2.3:a:apache:spark:1.0.2
-
cpe:2.3:a:apache:spark:1.1.0
-
cpe:2.3:a:apache:spark:1.1.1
-
cpe:2.3:a:apache:spark:1.2.0
-
cpe:2.3:a:apache:spark:1.2.1
-
cpe:2.3:a:apache:spark:1.2.2
-
cpe:2.3:a:apache:spark:1.3.0
-
cpe:2.3:a:apache:spark:1.3.1
-
cpe:2.3:a:apache:spark:1.4.0
-
cpe:2.3:a:apache:spark:1.4.1
-
cpe:2.3:a:apache:spark:1.5.0
-
cpe:2.3:a:apache:spark:1.5.1
-
cpe:2.3:a:apache:spark:1.5.2
-
cpe:2.3:a:apache:spark:1.6.0
-
cpe:2.3:a:apache:spark:1.6.1
-
cpe:2.3:a:apache:spark:1.6.2
-
cpe:2.3:a:apache:spark:1.6.3
-
cpe:2.3:a:apache:spark:2.0.0
-
cpe:2.3:a:apache:spark:2.0.1
-
cpe:2.3:a:apache:spark:2.0.2
-
cpe:2.3:a:apache:spark:2.1.0
-
cpe:2.3:a:apache:spark:2.1.1
-
cpe:2.3:a:apache:spark:2.1.2
-
cpe:2.3:a:apache:spark:2.1.3
-
cpe:2.3:a:apache:spark:2.2.0
-
cpe:2.3:a:apache:spark:2.2.1
-
cpe:2.3:a:apache:spark:2.2.2
-
cpe:2.3:a:apache:spark:2.3.0
-
cpe:2.3:a:apache:spark:2.3.1