CVE-2018-11770: Improper Authentication

August 13, 2018 (updated October 3, 2019)

Apache Spark standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property spark.authenticate.secret establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API.

References

www.securityfocus.com/bid/105097
nvd.nist.gov/vuln/detail/CVE-2018-11770
spark.apache.org/security.html

Detect and mitigate CVE-2018-11770 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →