Page 3 of 16 results (0.003 seconds)

CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not. En Apache Spark versión 2.1.0 hasta 2.1.2, versión 2.2.0 hasta 2.2.1 y versión 2.3.0, es posible que un usuario malicioso construya una dirección URL que apunte a las páginas de información de trabajo y etapa de la Interfaz de Usuario del clúster Spark, y si un usuario puede ser engañado para que acceda a la dirección URL, puede ser usado para causar que el script se ejecute y exponga información de la vista del usuario de la IU de Spark. Mientras que algunos navegadores como las versiones recientes de Chrome y Safari son capaces de bloquear este tipo de ataque, las versiones actuales de Firefox (y posiblemente otros) no lo hacen. • https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E https://spark.apache.org/security.html#CVE-2018-8024 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. En Apache Spark 1.0.0 a 2.1.2, 2.2.0 a 2.2.1 y 2.3.0, al emplear PySpark o SparkR, es posible que un usuario local diferente se conecte a la aplicación Spark y suplante al usuario que ejecuta la aplicación Spark. • https://lists.apache.org/thread.html/4d6d210e319a501b740293daaeeeadb51927111fb8261a3e4cd60060%40%3Cdev.spark.apache.org%3E https://spark.apache.org/security.html#CVE-2018-1334 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark. En Spark en versiones anteriores a la 2.7.2, un atacante remoto puede leer archivos estáticos no deseados mediante varias representaciones de nombres de ruta relativos o absolutos, tal y como queda demostrado con las secuencias de URL de archivos y saltos de directorio. NOTA: este producto no está relacionado con Ignite Realtime Spark. • http://sparkjava.com/news#spark-272-released https://access.redhat.com/errata/RHSA-2018:2020 https://access.redhat.com/errata/RHSA-2018:2405 https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668 https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc https://github.com/perwendel/spark/issues/981 https://access.redhat.com/security/cve/CVE-2018-9159 https://bugzilla.redhat.com/show_bug • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0

In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. • http://www.securityfocus.com/bid/100823 https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. En Spark anterior a versión 2.2.0 de Apache, es posible que un atacante tome ventaja de la confianza de un usuario en el servidor para engañarlo y que visite un enlace que apunte a un clúster Spark compartido y envíe datos incluyendo MHTML al master Spark , o un historial del servidor. Esta información, que podría contener un script, se reflejaría de vuelta hacia al usuario y podría ser evaluada y ejecutada por los clientes basados en MS Windows. • http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html http://www.securityfocus.com/bid/99603 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •