GHSA-8cw6-5qvp-q3wj

Suggest an improvement
Source
https://github.com/advisories/GHSA-8cw6-5qvp-q3wj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-8cw6-5qvp-q3wj/GHSA-8cw6-5qvp-q3wj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8cw6-5qvp-q3wj
Aliases
Published
2019-03-14T15:40:57Z
Modified
2023-11-08T04:00:24.425968Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
Details

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:25:20Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Maven / org.apache.spark:spark-core_2.10

Package

Name
org.apache.spark:spark-core_2.10
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.3

Affected versions

2.*

2.1.0
2.1.1
2.1.2

Maven / org.apache.spark:spark-core_2.10

Package

Name
org.apache.spark:spark-core_2.10
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.2

Affected versions

2.*

2.2.0
2.2.1

Maven / org.apache.spark:spark-core_2.11

Package

Name
org.apache.spark:spark-core_2.11
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.3

Affected versions

2.*

2.1.0
2.1.1
2.1.2

Maven / org.apache.spark:spark-core_2.11

Package

Name
org.apache.spark:spark-core_2.11
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.2

Affected versions

2.*

2.2.0
2.2.1

Maven / org.apache.spark:spark-core_2.11

Package

Name
org.apache.spark:spark-core_2.11
View open source insights on deps.dev
Purl
pkg:maven/org.apache.spark/spark-core_2.11

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.1

Affected versions

2.*

2.3.0