CVE-2022-31777

CWE-748 documents7 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 65.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SparkApache Software Foundation Apache Spark
Timeline
PublishedNov 1
Latest updateJul 15

Description

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

NVDapache/spark< 3.2.2+1
Mavenorg.apache.spark:spark-core_2.123.3.03.3.1+1
Mavenorg.apache.spark:spark-core_2.133.3.03.3.1+1
CVEListV5apache_software_foundation/apache_spark3.2.1 and earlier3.2.1+1
PyPIpyspark3.3.03.3.1+1

🔴Vulnerability Details

4
OSV
Apache Spark vulnerable to Log Injection2022-11-01
OSV
CVE-2022-31777: A stored cross-site scripting (XSS) vulnerability in Apache Spark 32022-11-01
CVEList
Apache Spark XSS vulnerability in log viewer UI Javascript2022-11-01
GHSA
Apache Spark vulnerable to Log Injection2022-11-01

📋Vendor Advisories

3
Oracle
Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Spark) — CVE-2022-317772023-07-15
Red Hat
apache-spark: XSS vulnerability in log viewer UI Javascript2022-11-01
Apache
Apache spark: CVE-2022-31777
CVE-2022-31777 (MEDIUM CVSS 5.4) | A stored cross-site scripting (XSS) | cvebase.io