GHSA-phg2-9c5g-m4q7

Suggest an improvement
Source
https://github.com/advisories/GHSA-phg2-9c5g-m4q7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-phg2-9c5g-m4q7/GHSA-phg2-9c5g-m4q7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-phg2-9c5g-m4q7
Aliases
  • CVE-2018-17190
Published
2018-11-21T22:19:30Z
Modified
2024-12-02T05:46:07.781671Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Remote Code Execution in spark-core
Details

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

Mitigation

Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level restrictions. Use spark.authenticate and related security properties described at https://spark.apache.org/docs/latest/security.html

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:49:15Z"
}
References

Affected packages

Maven / org.apache.spark:spark-core_2.11

Package

Name
org.apache.spark:spark-core_2.11
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.6.3

2.*

2.0.0
2.0.0-preview
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8

Maven / org.apache.spark:spark-core_2.10

Package

Name
org.apache.spark:spark-core_2.10
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.0-incubating
0.9.1
0.9.2

1.*

1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.6.3

2.*

2.0.0
2.0.0-preview
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3