CVE-2018-1334
MEDIUMApache Spark 1.0.0-2.1.2, 2.2.0-2.2.1, 2.3.0 - Unauthorized User Impersonation via Local Connection
Title source: llmDescription
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://spark.apache.org/security.html#CVE-2018-1334
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E
Scores
CVSS v3
4.7
EPSS
0.0011
EPSS Percentile
29.6%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-200
Status
published
Products (5)
apache/spark
2.3.0
apache/spark
< 2.1.2
org.apache.spark/spark-core_2.10
1.0.0 - 2.1.3Maven
org.apache.spark/spark-core_2.11
1.0.0 - 2.1.3Maven
pypi/pyspark
2.2.0 - 2.2.2PyPI
Published
Jul 12, 2018
Tracked Since
Feb 18, 2026