Detections
Analytics

Apache Spark < 2.1.3 / 2.2.x < 2.2.2 / 2.3.x < 2.3.1 XSS in UI

medium Web App Scanning Plugin ID 112470

Language:

Synopsis

Apache Spark < 2.1.3 / 2.2.x < 2.2.2 / 2.3.x < 2.3.1 XSS in UI

Description

The remote web server is running a version of Apache Spark that is affected by a Cross-Site Scripting (XSS) vulnerability due to a flaw in Spark cluster's UI's job and stage info pages, which allows a remote attacker to use specially crafted requests that can lead to arbitrary HTML and script code injection into a user's browser to be executed within the security context of the affected site.

Solution

Update Apache Sparks to 2.1.3 or newer for 1.x, 2.0.x, and 2.1.x versions, 2.2.2 or newer for 2.2.x versions, 2.3.1 or newer for 2.3.x version

See Also

https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E

https://spark.apache.org/security.html

Plugin Details

Severity: Medium

ID: 112470

Type: remote

Published: 9/12/2018

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2018-8024

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2018-8024

Vulnerability Information

CPE: cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Patch Publication Date: 7/11/2018

Vulnerability Publication Date: 7/10/2018

Reference Information

CVE: CVE-2018-8024