CVE-2018-1334
Description
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Spark, a local user can impersonate another user when using PySpark or SparkR, allowing unauthorized access to Spark applications.
Vulnerability
In Apache Spark versions 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, a different local user can connect to the Spark application and impersonate the user running the application [1][3][4]. This occurs because the local communication between the driver and executor processes lacks proper authentication, allowing any local user to connect and assume the identity of the Spark user [2].
Exploitation
An attacker must have local access to the same machine where the Spark application is running [2]. They can then connect to the Spark application's local ports and impersonate the legitimate user, potentially submitting jobs or accessing data without proper authorization [1][3]. No additional authentication or user interaction is required beyond local access [2].
Impact
Successful exploitation allows the attacker to execute arbitrary code within the Spark application context, with the privileges of the impersonated user [1][2]. This can lead to disclosure, modification, or destruction of data processed by the Spark application, as well as potential denial of service [3].
Mitigation
Apache Spark released fixes in versions 2.2.2 and 2.3.1 [1][4]. Users should upgrade to these or later versions. If upgrade is not possible, restrict local access to the Spark application's ports and ensure only trusted users have local access to the machine [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-core_2.10Maven | >= 1.0.0, < 2.1.3 | 2.1.3 |
org.apache.spark:spark-core_2.10Maven | >= 2.2.0, < 2.2.2 | 2.2.2 |
org.apache.spark:spark-core_2.11Maven | >= 1.0.0, < 2.1.3 | 2.1.3 |
org.apache.spark:spark-core_2.11Maven | >= 2.2.0, < 2.2.2 | 2.2.2 |
org.apache.spark:spark-core_2.11Maven | >= 2.3.0, < 2.3.1 | 2.3.1 |
pysparkPyPI | >= 2.2.0, < 2.2.2 | 2.2.2 |
pysparkPyPI | < 2.1.3 | 2.1.3 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.apache.spark/spark-core_2.10pkg:maven/org.apache.spark/spark-core_2.11pkg:pypi/pyspark
>= 1.0.0, < 2.1.3+ 2 more
- (no CPE)range: >= 1.0.0, < 2.1.3
- (no CPE)range: >= 1.0.0, < 2.1.3
- (no CPE)range: >= 2.2.0, < 2.2.2
- Apache Software Foundation/Apache Sparkv5Range: 1.0.0 to 2.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-6mqq-8r44-vmjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1334ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2018-25.yamlghsaWEB
- lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060@%3Cdev.spark.apache.org%3EghsaWEB
- spark.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.