Vulnerability Description
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spark | <= 2.1.1 |
Related Weaknesses (CWE)
References
- http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-SVendor Advisory
- http://www.securityfocus.com/bid/99603Third Party AdvisoryVDB Entry
- http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-SVendor Advisory
- http://www.securityfocus.com/bid/99603Third Party AdvisoryVDB Entry
FAQ
What is CVE-2017-7678?
CVE-2017-7678 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data...
How severe is CVE-2017-7678?
CVE-2017-7678 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7678?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Spark.