CVE-2018-11760
First published: Mon Feb 04 2019(Updated: )
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/pyspark | >=1.0.2<2.2.3 | 2.2.3 |
| pip/pyspark | >=2.3.0<2.3.2 | 2.3.2 |
| Apache Spark | >=1.0.2<=1.6.3 | |
| Apache Spark | >=2.0.0<=2.0.2 | |
| Apache Spark | >=2.1.0<=2.1.3 | |
| Apache Spark | >=2.2.0<=2.2.2 | |
| Apache Spark | >=2.3.0<=2.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2018-11760
- https://github.com/advisories/GHSA-fvxv-9xxr-h7wj (Advisory)
- https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E
- https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-169.yaml
- https://web.archive.org/web/20200227091119/http://www.securityfocus.com/bid/106786
- https://web.archive.org/web/20200925111106/https://issues.apache.org/jira/browse/SPARK-26802
- http://www.securityfocus.com/bid/106786
- https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3E
- https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3E
Frequently Asked Questions
What is CVE-2018-11760?
CVE-2018-11760 is a vulnerability related to PySpark that allows a different local user to connect to the Spark application and impersonate the user running the application.
Which versions of PySpark are affected by CVE-2018-11760?
PySpark versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1 are affected by CVE-2018-11760.
What is the severity of CVE-2018-11760?
CVE-2018-11760 has a severity rating of 5.5 (medium).
How can I fix CVE-2018-11760 in PySpark?
To fix CVE-2018-11760 in PySpark, update to version 2.2.3 or later for 2.2.x versions, and update to version 2.3.2 or later for 2.3.x versions.
Where can I find more information about CVE-2018-11760?
You can find more information about CVE-2018-11760 on the NIST National Vulnerability Database (NVD) website.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fvxv-9xxr-h7wj
- alias/CVE-2018-11760
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/apache
- canonical/apache spark
- version/apache spark/1.0.2
- version/apache spark/1.6.3
- version/apache spark/2.0.0
- version/apache spark/2.0.2
- version/apache spark/2.1.0
- version/apache spark/2.1.3
- version/apache spark/2.2.0
- version/apache spark/2.2.2
- version/apache spark/2.3.0
- version/apache spark/2.3.1
- package-manager/pip