CVE-2018-8024

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Spark
Vendor: CVE Published:; 12 July 2018

Summary

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.

Affected Version(s)

Apache Spark 1.0.0 to 2.1.2

Apache Spark 2.2.0 to 2.2.1

Apache Spark 2.3.0

References

https://spark.apache.org/security.html#CVE-2018-8024

x_refsource_CONFIRM

https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2018
Vulnerability Reserved
Mar 9, 2018