CVE-2017-12612

7.8 HIGH

Published: September 13, 2017 Modified: May 13, 2026

Description

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://www.securityfocus.com/bid/100823

Source: security@apache.org

Third Party Advisory VDB Entry

https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E

Source: security@apache.org

Mailing List Vendor Advisory

http://www.securityfocus.com/bid/100823

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory VDB Entry

https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.8 / 10.0

EPSS (Exploit Probability)

0.7%

50th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-502

Affected Vendors

apache

Related CVEs

CVE-2026-12243 7.5

CVE-2026-8023 7.5

CVE-2026-7656 8.1

CVE-2026-51219 N/A

CVE-2026-51218 N/A