Home/CVE/From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the su
CVE

CVE-2018-11770

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the su

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented.

In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear.

Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.

MEDIUM · CVSS 4.2 EPSS 0.88996
Act now
  • EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
  • EPSS percentile: top 0% of all CVEs by exploitation likelihood
  • Public exploit or PoC is available
Sigma rules0 YARA rules0

Weakness Classification

CWE-287Improper Authentication

Affected Products & Versions

1
apache spark>= 1.3.0 and < 2.4.0

Affected Packages

2
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
Maven org.apache.spark:spark-core_2.10 MODERATE
Maven org.apache.spark:spark-core_2.11 MODERATE

Public Exploits & PoCs

1
pocspark.apache.org · security.html#CVE-2018-11770spark.apache.org

Scoring & Timeline

4.2
MEDIUM · CVSS v3.1 · security@apache.org
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD13 Aug 2018 · 04:29 PM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
🔗

References & Sources

2
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
http://www.securityfocus.com/bid/105097Broken LinkThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/bd8e51314041451a2acd720e9223fc1c15a263ccacb396a75b1fc485%40%3Cdev.spark.apache.org%3EMailing ListThird Party Advisory
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin