Cross-Site Scripting Vulnerability in Apache Spark by Apache
CVE-2017-7678

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Spark
Vendor: CVE Published:; 12 July 2017

Summary

In vulnerable versions of Apache Spark prior to 2.2.0, an attacker may exploit user trust by tricking them into visiting a malicious link that targets a shared Spark cluster. This can lead to the submission of harmful content, potentially including MHTML scripts, to the Spark master or history server. Once submitted, this data is reflected back to the user, making it possible for MS Windows clients to inadvertently execute the script while interacting with Spark's web UIs. This highlights a serious user-centric attack vector where the integrity of the application is compromised through social engineering.

References

http://apache-spark-developers-list.1001551.n3.nabble.com...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/99603

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2017
Vulnerability Reserved
Apr 11, 2017