CVE-2021-26544

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

2.4%

top 14.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Livy (incubating)Apache Livy

Timeline

PublishedFeb 20

Latest updateMay 13

Description

Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_livy_(incubating)Apache Livy (Incubating) 0.7.0-incubating

▶Mavenorg.apache.livy:livy-server0.7.0-incubating — 0.7.1-incubating

▶NVDapache/livy0.7.0-incubating

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

OSV

Apache Livy Cross-site scripting (XSS) in session names↗2021-05-13

▶

GHSA

Apache Livy Cross-site scripting (XSS) in session names↗2021-05-13

▶

CVEList

Apache Livy (Incubating) is vulnerable to cross site scripting↗2021-02-20

▶