Apache Spark 3.2.2/3.3.0 < 3.3.1 XSS (CVE-2022-31777
Reporter | Title | Published | Views | Family All 17 |
---|---|---|---|---|
CNVD | Apache Spark Injection Vulnerability | 3 Nov 202200:00 | – | cnvd |
Prion | Cross site scripting | 1 Nov 202216:15 | – | prion |
OSV | Apache Spark vulnerable to Log Injection | 1 Nov 202219:00 | – | osv |
OSV | BIT-spark-2022-31777 | 6 Mar 202411:05 | – | osv |
OSV | CVE-2022-31777 | 1 Nov 202216:15 | – | osv |
OSV | PYSEC-2022-42976 | 1 Nov 202216:15 | – | osv |
RedhatCVE | CVE-2022-31777 | 23 Nov 202216:56 | – | redhatcve |
Veracode | Cross-site Scripting (XSS) | 2 Nov 202202:13 | – | veracode |
IBM Security Bulletins | Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark | 30 Jan 202317:07 | – | ibm |
IBM Security Bulletins | Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs | 29 Mar 202318:36 | – | ibm |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, inc.
##
include('compat.inc');
if (description)
{
script_id(182513);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/28");
script_cve_id("CVE-2022-31777");
script_name(english:"Apache Spark < 3.2.2 / 3.3.0 < 3.3.1 XSS (CVE-2022-31777)");
script_set_attribute(attribute:"synopsis", value:
"The remote host contains a web application that is affected by a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Apache Spark installed on the remote host is prior to 3.2.2 or is 3.3.0. It is, therefore, affected by a
cross-site scripting (XSS) vulnerability. An authenticated, remote attacker can execute arbitrary JavaScript in the web
browser of a user by including a malicious payload into the logs which would be returned in logs rendered in the UI.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q");
script_set_attribute(attribute:"solution", value:
"Upgrade Apache Spark to 3.2.2, 3.3.1, or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31777");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/01");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/04");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:spark");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("apache_spark_detect.nbin");
script_require_keys("installed_sw/Apache Spark");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 7077, 8080, 8081, 9090, 6066, 4040, 18080);
exit(0);
}
include('vcf.inc');
var app = 'Apache Spark';
var app_info = vcf::combined_get_app_info(app:app);
var constraints = [
{ 'fixed_version' : '3.2.2'},
{ 'min_version': '3.3.0', 'fixed_version': '3.3.1'}
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING,
flags:{'xss': TRUE});
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo