CVE-2017-12612 – org.apache.spark:spark-core_2.10

Package

Manager: maven
Name: org.apache.spark:spark-core_2.10
Vulnerable Version: >=0 <2.1.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00155 pctl0.36846

Details

Apache Spark Deserialization of Untrusted Data vulnerability In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.1.2, 2.2.0 or later.

Metadata

Created: 2018-11-09T17:43:25Z
Modified: 2024-11-26T18:49:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-8rhc-48pp-52gr/GHSA-8rhc-48pp-52gr.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-8rhc-48pp-52gr
Finding: F096
Auto approve: 1