When using PySpark , it’s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-11760
- https://github.com/advisories/GHSA-fvxv-9xxr-h7wj
- https://lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3E
- https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E
- http://www.securityfocus.com/bid/106786
- https://issues.apache.org/jira/browse/SPARK-26802
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-169.yaml