CVE-2018-8024

Low

Low Medium High Critical

CVSS Score

Published: Jul 12, 2018

Last Modified: Nov 21, 2024

Vulnerability Description

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.

Known Affected Software

7 configuration(s) from 2 vendor(s)

spark

Version:

2.2.1

CPE:

cpe:2.3:a:apache:spark:2.2.1:-:*:*:*:*:*:*

spark

Version:

2.2.0

CPE:

cpe:2.3:a:apache:spark:2.2.0:*:*:*:*:*:*:*

spark

Version:

2.1.2

CPE:

cpe:2.3:a:apache:spark:2.1.2:-:*:*:*:*:*:*

spark

Version:

2.1.1

CPE:

cpe:2.3:a:apache:spark:2.1.1:*:*:*:*:*:*:*

spark

Version:

2.1.0

CPE:

cpe:2.3:a:apache:spark:2.1.0:*:*:*:*:*:*:*

spark

Version:

2.3.0

CPE:

cpe:2.3:a:apache:spark:2.3.0:-:*:*:*:*:*:*

firefox

Version:

CPE:

cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*

This vulnerability affects 7 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Exploit Likelihood: High
Typical Severity: Medium
Abstraction Level: Class