CVE-2018-17190

Name: CVE-2018-17190
Creator: NVD / NIST
Published: 2018-11-19T14:29:00.513+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 8.72%

Last modified Jun 17, 2026

CVE-2018-17190 is a vulnerability of currently unknown severity. In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. EPSS estimates a 8.72% chance of exploitation in the next 30 days.

Description

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.

Metrics

EPSS Probability

8.72%

94.5th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Apache	Spark	All versions

References

http://www.securityfocus.com/bid/105976Third Party Advisory, VDB Entry
https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E
https://security.gentoo.org/glsa/201903-21Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
http://www.securityfocus.com/bid/105976Third Party Advisory, VDB Entry
https://lists.apache.org/thread.html/341c3187f15cdb0d353261d2bfecf2324d56cb7db1339bfc7b30f6e5%40%3Cdev.spark.apache.org%3E
https://security.gentoo.org/glsa/201903-21Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Timeline

Published: Nov 19, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-17190?

How severe is CVE-2018-17190?

Severity scoring for CVE-2018-17190 is pending analysis. The EPSS model estimates a 8.72% probability of exploitation in the next 30 days.

How do I fix CVE-2018-17190?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-17190?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST