Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2017-12612

Good to know:

icon
icon

Date: September 13, 2017

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.

Language: Java

Severity Score

Related Resources (6)

http://www.securityfocus.com/bid/100823
https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2017-147.yaml
https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E
https://nvd.nist.gov/vuln/detail/CVE-2017-12612
https://github.com/advisories/GHSA-8rhc-48pp-52gr
https://www.mend.io/vulnerability-database/CVE-2017-12612

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.spark:spark-launcher_2.11:2.2.0,org.apache.spark:spark-launcher_2.10:2.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): LOCAL
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): COMPLETE
Integrity (I): COMPLETE
Availability (A): COMPLETE
Additional information:

Do you need more information?

Contact Us