GHSA-6mqq-8r44-vmjc

Source

https://github.com/advisories/GHSA-6mqq-8r44-vmjc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-6mqq-8r44-vmjc/GHSA-6mqq-8r44-vmjc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6mqq-8r44-vmjc

Aliases

Published

2019-03-14T15:41:04Z

Modified

2024-10-21T21:27:08.927152Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark

Details

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Database specific

{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed_at": "2020-06-16T21:19:47Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Maven

org.apache.spark:spark-core_2.10

Package

Name: org.apache.spark:spark-core_2.10; View open source insights on deps.dev
Purl: pkg:maven/org.apache.spark/spark-core_2.10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

2.1.3

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

2.*

2.0.0

2.0.0-preview

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

org.apache.spark:spark-core_2.10

Package

Name: org.apache.spark:spark-core_2.10; View open source insights on deps.dev
Purl: pkg:maven/org.apache.spark/spark-core_2.10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.2

Affected versions

2.*

2.2.0

2.2.1

org.apache.spark:spark-core_2.11

Package

Name: org.apache.spark:spark-core_2.11; View open source insights on deps.dev
Purl: pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

2.1.3

Affected versions

1.*

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

2.*

2.0.0

2.0.0-preview

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

org.apache.spark:spark-core_2.11

Package

Name: org.apache.spark:spark-core_2.11; View open source insights on deps.dev
Purl: pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.2

Affected versions

2.*

2.2.0

2.2.1

org.apache.spark:spark-core_2.11

Package

Name: org.apache.spark:spark-core_2.11; View open source insights on deps.dev
Purl: pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.1

Affected versions

2.*

2.3.0

PyPI

pyspark

Package

Name: pyspark; View open source insights on deps.dev
Purl: pkg:pypi/pyspark

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.2

Affected versions

2.*

2.2.0

2.2.1

pyspark

Package

Name: pyspark; View open source insights on deps.dev
Purl: pkg:pypi/pyspark

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.3

Affected versions

2.*

2.1.1

2.1.2