Lucene search
ApacheCVELIST:CVE-2018-8024HistoryJul 11, 2018 - 12:00 a.m.
CVE-2018-8024
2018-07-1100:00:00
apache
www.cve.org
7
EPSS
0.001
Percentile
16.0%
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious user to construct a URL pointing to a Spark cluster’s UI’s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user’s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
CNA Affected
[
{
"product": "Apache Spark",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0 to 2.1.2"
},
{
"status": "affected",
"version": "2.2.0 to 2.2.1"
},
{
"status": "affected",
"version": "2.3.0"
}
]
}
]Related
cve
cve
CVE-2018-8024
2018-07-12 13:29:00
prion
prion
Code injection
2018-07-12 13:29:00
github
github
osv
osv
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
2019-03-14 15:40:57
CVE-2018-8024
2018-07-12 13:29:00
veracode
veracode
Cross-Site Scripting (XSS)
2018-07-13 01:34:27
nvd
nvd
CVE-2018-8024
2018-07-12 13:29:00
