CVE-2018-8024: Apache Spark XSS vulnerability in UI
Description: In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious user to construct a URL pointing to a Spark cluster’s UI’s job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user’s view of the Spark UI.
Versions Affected: Apache Spark versions 2.1.0-2.1.2, 2.2.0-2.2.1, 2.3.0
Researcher: Spencer Gietzen (https://github.com/SpenGietz)
Disclosure Link: https://spark.apache.org/security.html#CVE-2018-8024
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2018-8024
Here are two working examples: