{"id":"CVE-2018-1334","details":"In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.","aliases":["GHSA-6mqq-8r44-vmjc","PYSEC-2018-25"],"modified":"2026-04-10T04:05:18.266939Z","published":"2018-07-12T13:29:00.227Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E"},{"type":"ADVISORY","url":"https://spark.apache.org/security.html#CVE-2018-1334"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/spark","events":[{"introduced":"0"},{"last_affected":"2abaea9e40fce81cd4626498e0f5c28a70917499"},{"introduced":"a2c7b2133cfee7fa9abfaa2bfbfb637155466783"},{"last_affected":"e30e2698a2193f0bbdcd4edb884710819ab6397c"},{"introduced":"0"},{"last_affected":"992447fb30ee9ebb3cf794f2d06f4d63a2d792db"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.2"},{"introduced":"2.2.0"},{"last_affected":"2.2.1"},{"introduced":"0"},{"last_affected":"2.3.0"}]}}],"versions":["0.3-scala-2.8","alpha-0.2","v0.6.0","v0.7.0","v2.1.0","v2.1.1","v2.1.2","v2.1.2-rc1","v2.1.2-rc2","v2.1.2-rc3","v2.1.2-rc4","v2.2.0","v2.2.1","v2.2.1-rc1","v2.2.1-rc2","v2.3.0","v2.3.0-rc1","v2.3.0-rc2","v2.3.0-rc3","v2.3.0-rc4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1334.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}