Vulnerability Description
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spark | >= 2.1.0, <= 2.1.2 |
| Mozilla | Firefox | - |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f0
- https://spark.apache.org/security.html#CVE-2018-8024MitigationVendor Advisory
- https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f0
- https://spark.apache.org/security.html#CVE-2018-8024MitigationVendor Advisory
FAQ
What is CVE-2018-8024?
CVE-2018-8024 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be trick...
How severe is CVE-2018-8024?
CVE-2018-8024 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8024?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Spark, Mozilla Firefox.