// For flags

CVE-2018-17190

 

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

En todas las versiones de Apache Spark, su gestor independiente de recursos acepta que el código se ejecute en un host "master" que ejecuta dicho código en los hosts "worker". Por diseño, el propio master no ejecuta código del usuario. Sin embargo, una petición especialmente manipulada al master puede provocar que el master también lo haga. Nótese que esto no afecta a los clústers independientes con la autenticación habilitada. Aunque el host master suele tener menos acceso saliente a otros recursos que un worker, la ejecución de código en el master sigue siendo inesperada.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-09-19 CVE Reserved
  • 2018-11-19 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-10-29 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Spark
Search vendor "Apache" for product "Spark"
*-
Affected