Vulnerability Description
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Livy | 0.7.0-incubating |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/02/20/1Mailing ListPatchThird Party Advisory
- https://github.com/apache/incubator-livy/commit/4d8a912699683b973eee76d4e91447d7PatchThird Party Advisory
- https://lists.apache.org/thread.html/r2db14e7fd1e5ec2519e8828d43529bad623d75698cPatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2021/02/20/1Mailing ListPatchThird Party Advisory
- https://github.com/apache/incubator-livy/commit/4d8a912699683b973eee76d4e91447d7PatchThird Party Advisory
- https://lists.apache.org/thread.html/r2db14e7fd1e5ec2519e8828d43529bad623d75698cPatchVendor Advisory
FAQ
What is CVE-2021-26544?
CVE-2021-26544 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions ...
How severe is CVE-2021-26544?
CVE-2021-26544 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-26544?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Livy.