When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
Reference: https://lists.apache.org/thread.html/a86ee93d07b6f61b82b61a28049aed311f5cc9420d26cc95f1a9de7b@%3Cuser.spark.apache.org%3E http://seclists.org/oss-sec/2019/q1/98
Upstream Patches : https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650 (master / 2.4) https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe4 (branch-2.3) https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30 (branch-2.2)
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11760