—

PYSEC-2019-169

Details

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pyspark

Introduced in: 2.3.0 Fixed in: 2.3.2

Fix pip install --upgrade 'pyspark>=2.2.3'

References

https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E [WEB]
http://www.securityfocus.com/bid/106786 [WEB]
https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E [WEB]
https://github.com/advisories/GHSA-fvxv-9xxr-h7wj [ADVISORY]