CVE-2017-7678

Опубликовано: 12 июл. 2017

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

Ссылки

http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html
Vendor Advisory
http://www.securityfocus.com/bid/99603
Third Party Advisory
VDB Entry
http://apache-spark-developers-list.1001551.n3.nabble.com/CVE-2017-7678-Apache-Spark-XSS-web-UI-MHTML-vulnerability-td21947.html
Vendor Advisory
http://www.securityfocus.com/bid/99603
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*

Версия до 2.1.1 (включая)

EPSS

Процентиль: 82%

0.0179

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2017-7678

CVSS3: 6.1

debian

больше 8 лет назад

In Apache Spark before 2.2.0, it is possible for an attacker to take a ...

GHSA-r34r-f84j-5x4x

CVSS3: 6.1

github

около 7 лет назад

Moderate severity vulnerability that affects org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11

EPSS

Процентиль: 82%

0.0179

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79