Lucene search

K

GoogleOSV:GHSA-43XG-8WMJ-CW8H

HistoryNov 01, 2022 - 7:00 p.m.

Apache Spark vulnerable to Log Injection

2022-11-0119:00:29

Google

osv.dev

19

apache spark

xss

remote attackers

arbitrary javascript

web browser

logs

ui

security vulnerability

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

30.3%

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.

References

www.openwall.com/lists/oss-security/2022/11/01/14

github.com/apache/spark

github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871ad

github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-42976.yaml

lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q

nvd.nist.gov/vuln/detail/CVE-2022-31777

web.archive.org/web/20220728105026/https://issues.apache.org/jira/browse/SPARK-39505

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

30.3%

Related for OSV:GHSA-43XG-8WMJ-CW8H

cnvd1 nessus2 ibm2 osv3 cve1 github1 prion1 redhatcve1 veracode1 cvelist1 nvd1 redhat1 oracle1