CVE-2018-8024
published 2018-07-12CVE-2018-8024: In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and…
PriorityP335medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
5.05%
91.2th percentile
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | spark | — | — |
| apache | spark | — | — |
| apache | spark | 2.1.0 – 2.1.2 | — |
| apache | spark | 2.2.0 – 2.2.1 | — |
| apache_software_foundation | apache_spark | — | — |
| apache_software_foundation | apache_spark | — | — |
| apache_software_foundation | apache_spark | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/jobs/?"'>alert(document.domain)
path/jobs/
- →HTTP GET request to /jobs/ endpoint with unsanitized query string containing XSS payload; response body reflects the payload ('>alert(document.domain)) alongside 'Spark Jobs' text with HTTP 200 and content-type text/html
- →Shodan/FOFA fingerprint for exposed Spark UI instances: search for title 'spark master at' to identify attack surface
- →Spark UI is also commonly exposed on port 4040; probe both the base URL and port 4040 for the /jobs/ XSS endpoint
- ·XSS exploitation is browser-dependent; recent Chrome and Safari versions block this reflected XSS attack, but Firefox (and possibly others) do not, limiting reliable exploitation to specific browser targets ↗
- ·Attack requires user interaction (victim must be tricked into clicking a crafted URL); this is a reflected XSS, not stored, so detections should focus on inbound requests carrying the payload in the query string ↗
- ·Affected versions span multiple release trains (2.1.0–2.1.2, 2.2.0–2.2.1, 2.3.0); ensure version-based detection/blocking covers all three branches ↗
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N
vendor_apache5.4
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
osv·2019-03-14
CVE-2018-8024 [MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
ghsa·2019-03-14
CVE-2018-8024 [MEDIUM] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
Apache
Apache spark: CVE-2018-8024
vendor_apache·CVSS 5.4
CVE-2018-8024 Apache spark: CVE-2018-8024
Apache spark: CVE-2018-8024
Severity: Medium Versions Affected: Spark 2.1.0 through 2.1.2 Spark 2.2.0 through 2.2.1 Spark 2.3.0 Description: In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious user to construct a URL pointing to a Spark cluster’s UI’s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user’s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not. Mitigation: 2.1.x users should upgrade to 2.1.3 or newer 2.2.x users should upgrade to 2.2.2 or newer 2.3.x users should upgrade to 2.3.1 or newer Credit: Spencer Gietzen, R
No detection rules found.
Nuclei
Apache Spark UI - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2018-8024 [MEDIUM] Apache Spark UI - Cross-Site Scripting
Apache Spark UI - Cross-Site Scripting
Apache Spark UI before 2.3.2 is vulnerable to XSS via unsanitized query string parameters in the /jobs/ endpoint.
Template:
id: CVE-2018-8024
info:
name: Apache Spark UI - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Apache Spark UI before 2.3.2 is vulnerable to XSS via unsanitized query string parameters in the /jobs/ endpoint.
impact: |
Attackers can execute arbitrary JavaScript in victims' browsers via crafted query string parameters, potentially stealing session cookies or performing actions on behalf of users.
remediation: |
Upgrade to Apache Spark version 2.3.2 or later.
reference:
- https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2018-8024
- https://nvd.nist.gov/vuln/detail/CVE-2018-8024
classification
No writeups or analysis indexed.
https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3Ehttps://spark.apache.org/security.html#CVE-2018-8024https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3Ehttps://spark.apache.org/security.html#CVE-2018-8024
2018-07-12
Published