cbcvebase.
CVE-2018-8024
published 2018-07-12

CVE-2018-8024: In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and…

PriorityP335medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
5.05%
91.2th percentile
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.

Affected

7 ranges
VendorProductVersion rangeFixed in
apachespark
apachespark
apachespark2.1.0 – 2.1.2
apachespark2.2.0 – 2.2.1
apache_software_foundationapache_spark
apache_software_foundationapache_spark
apache_software_foundationapache_spark

Detection & IOCsextracted from sources · hover to see the quote

url/jobs/?"'>alert(document.domain)
path/jobs/
  • HTTP GET request to /jobs/ endpoint with unsanitized query string containing XSS payload; response body reflects the payload ('>alert(document.domain)) alongside 'Spark Jobs' text with HTTP 200 and content-type text/html
  • Shodan/FOFA fingerprint for exposed Spark UI instances: search for title 'spark master at' to identify attack surface
  • Spark UI is also commonly exposed on port 4040; probe both the base URL and port 4040 for the /jobs/ XSS endpoint
  • ·XSS exploitation is browser-dependent; recent Chrome and Safari versions block this reflected XSS attack, but Firefox (and possibly others) do not, limiting reliable exploitation to specific browser targets
  • ·Attack requires user interaction (victim must be tricked into clicking a crafted URL); this is a reflected XSS, not stored, so detections should focus on inbound requests carrying the payload in the query string
  • ·Affected versions span multiple release trains (2.1.0–2.1.2, 2.2.0–2.2.1, 2.3.0); ensure version-based detection/blocking covers all three branches

CVSS provenance

nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N
vendor_apache5.4
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.