CVE-2018-11760
Description
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Spark's PySpark, a local user can connect to the Spark application and impersonate the user running it, affecting versions 1.x through 2.3.1.
Vulnerability
In Apache Spark's PySpark component, a vulnerability exists that allows a different local user to connect to the Spark application and impersonate the user running the Spark application. This issue affects Spark versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. [1][2]
Exploitation
An attacker with local access to the system where the Spark application is running can connect to the application's process and impersonate the user executing the Spark job. No additional authentication or user interaction is required beyond local system access. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary code or perform actions with the privileges of the Spark application user, potentially leading to privilege escalation, data disclosure, or unauthorized actions within the cluster. [1][2]
Mitigation
The vulnerability is fixed in Spark version 2.3.2 and later. Users should upgrade to a patched version. No workaround is available. Affected users are advised to ensure that local access to the Spark application is restricted to trusted users only. [1][2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pysparkPyPI | >= 2.3.0, < 2.3.2 | 2.3.2 |
pysparkPyPI | >= 1.0.2, < 2.2.3 | 2.2.3 |
Affected products
2- Apache Software Foundation/Apache Sparkv5Range: Apache Spark 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-fvxv-9xxr-h7wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11760ghsaADVISORY
- www.securityfocus.com/bid/106786mitrevdb-entryx_refsource_BID
- github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-169.yamlghsaWEB
- lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e%40%3Ccommits.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/6d015e56b3a3da968f86e0b6acc69f17ecc16b499389e12d8255bf6e@%3Ccommits.spark.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b%40%3Cuser.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3EghsaWEB
- web.archive.org/web/20200227091119/http://www.securityfocus.com/bid/106786ghsaWEB
- web.archive.org/web/20200925111106/https://issues.apache.org/jira/browse/SPARK-26802ghsaWEB
News mentions
0No linked articles in our index yet.