CVE-2017-12612

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-12612

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12612.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-12612

Aliases

Published

2017-09-13T16:29:00Z

Modified

2024-11-25T22:42:11.091237Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.

References

Affected packages

Git / github.com/apache/spark

Affected ranges

Type: GIT
Repo: https://github.com/apache/spark
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

13650fc58e1fcf2cf2a26ba11c819185ae1acc1f

Last affected

15de51c238a7340fa81cb0b80d029a05d97bfc5c

Last affected

1e860747458d74a4ccbd081103a0542a2367b14b

Last affected

267aca5bd5042303a718d10635bc0d1a1596853f

Last affected

4062cda3087ae42c6c3cb24508fc1d3a931accdf

Last affected

54b1121f351f056d6b67d2bb4efe0d553c0f7482

Last affected

584354eaac02531c9584188b143367ba694b0c34

Last affected

933d2c1ea4e5f5c4ec8d375b5ccaa4577ba4be38

Last affected

cd0a08361e2526519e7c131c42116bf56fa62c76

Affected versions

0.*

0.3-scala-2.8

0.3-scala-2.9

2.*

2.0.0-preview

alpha-0.*

alpha-0.1

alpha-0.2

v0.*

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v1.*

v1.6.0

v1.6.1

v2.*

v2.0.0

v2.1.0

v2.1.1