User Impersonation

Affecting pyspark package, versions [,2.2.3) || [2.3.0, 2.3.2)

Overview

pyspark is a fast and general cluster computing system for Big Data.

Affected versions of this package are vulnerable to User Impersonation. It is possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Remediation

Upgrade pyspark to version 2.2.3, 2.3.2 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Luca Canali, Jose Carlos Luna Duran
CVE
CVE-2018-11760
CWE
CWE-520
Snyk ID
SNYK-PYTHON-PYSPARK-73649
Disclosed
04 Feb, 2019
Published
04 Feb, 2019