CVE-2018-1334

CWE-200 — Information Exposure6 documents5 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 72.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Spark Apache Software Foundation Apache Spark

Timeline

PublishedJul 12

Latest updateMar 14

Description

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages5 packages

▶PyPIpyspark2.2.0 — 2.2.2+1

▶Mavenorg.apache.spark:spark-core_2.101.0.0 — 2.1.3+1

▶Mavenorg.apache.spark:spark-core_2.111.0.0 — 2.1.3+2

▶NVDapache/spark2.2.0 — 2.2.1+2

▶CVEListV5apache_software_foundation/apache_spark1.0.0 to 2.1.2, 2.2.0 to 2.2.1, 2.3.0+2

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark↗2019-03-14

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark↗2019-03-14

▶

CVEList

CVE-2018-1334: In Apache Spark 1↗2018-07-12

▶

OSV

CVE-2018-1334: In Apache Spark 1↗2018-07-12

▶

📋Vendor Advisories

Apache

Apache spark: CVE-2018-1334↗

▶