CVE-2018-11770

CWE-287Improper AuthenticationCWE-306Missing Authentication8 documents8 sources
Severity
4.2MEDIUM
EPSS
89.0%
top 0.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SparkApache Spark
Timeline
PublishedAug 13
Latest updateNov 9

Description

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without au

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages4 packages

NVDapache/spark1.3.02.4.0
CVEListV5apache_software_foundation/apache_spark1.3.02.4.0
Mavenorg.apache.spark:spark-core_2.101.0.02.2.2
Mavenorg.apache.spark:spark-core_2.111.0.02.3.2

🔴Vulnerability Details

4
OSV
org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11 Improper Authentication vulnerability2018-11-09
GHSA
org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11 Improper Authentication vulnerability2018-11-09
CVEList
CVE-2018-11770: From version 12018-08-13
VulnCheck
Apache spark Improper Authentication2018

📋Vendor Advisories

2
Red Hat
spark: Missing authentication allows users to run driver programs via the REST API2018-08-14
Apache
Apache spark: CVE-2018-11770

💬Community

1
Bugzilla
CVE-2018-11770 spark: Missing authentication allows users to run driver programs via the REST API2018-08-14
CVE-2018-11770 (MEDIUM CVSS 4.2) | From version 1.3.0 onward | cvebase.io