Cross-Site Scripting Vulnerability in Apache Spark UI
CVE-2018-8024

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Spark
Vendor: CVE Published:; 12 July 2018

Summary

In specific versions of Apache Spark, a cross-site scripting vulnerability exists that enables an attacker to create a malicious URL leading to a Spark cluster’s user interface. If a user inadvertently follows this link, it can result in the execution of malicious scripts that could compromise their view of the Spark UI. Although modern browsers such as Chrome and Safari have implemented measures to block such attacks, older versions of Firefox and potentially other browsers may still be susceptible, putting users at risk of information exposure.

Affected Version(s)

Apache Spark 1.0.0 to 2.1.2

Apache Spark 2.2.0 to 2.2.1

Apache Spark 2.3.0

References

https://spark.apache.org/security.html#CVE-2018-8024

x_refsource_CONFIRM

https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2018
Vulnerability Reserved
Mar 9, 2018