CVE-2017-7678

CWE-79Cross-site Scripting (XSS)5 documents5 sources
Severity
6.1MEDIUM
EPSS
1.8%
top 17.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Spark
Timeline
PublishedJul 12
Latest updateNov 9

Description

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadverten

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDapache/spark2.1.1

🔴Vulnerability Details

3
GHSA
Moderate severity vulnerability that affects org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.112018-11-09
OSV
Moderate severity vulnerability that affects org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.112018-11-09
CVEList
CVE-2017-7678: In Apache Spark before 22017-07-12

📋Vendor Advisories

1
Apache
Apache spark: CVE-2017-7678
CVE-2017-7678 (MEDIUM CVSS 6.1) | In Apache Spark before 2.2.0 | cvebase.io