—

PYSEC-2018-25

Details

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pyspark

Introduced in: 2.2.0 Fixed in: 2.2.2

Fix pip install --upgrade 'pyspark>=2.1.3'

References

https://spark.apache.org/security.html#CVE-2018-1334 [WEB]
https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3E [WEB]