cvelist/2018/8xxx/CVE-2018-8024.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "DATE_PUBLIC": "2018-07-11T00:00:00",
        "ID": "CVE-2018-8024",
        "STATE": "PUBLIC"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Apache Spark",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "1.0.0 to 2.1.2"
                                        },
                                        {
                                            "version_value": "2.2.0 to 2.2.1"
                                        },
                                        {
                                            "version_value": "2.3.0"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Apache Software Foundation"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "Cross-Site Scripting (XSS) Flaw"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://spark.apache.org/security.html#CVE-2018-8024",
                "refsource": "CONFIRM",
                "url": "https://spark.apache.org/security.html#CVE-2018-8024"
            },
            {
                "name": "[dev] 20180711 CVE-2018-8024 Apache Spark XSS vulnerability in UI",
                "refsource": "MLIST",
                "url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E"
            }
        ]
    }
}
- Synchronized data. 2018-03-09 16:03:15 -05:00			`{`
"-Synchronized-Data." 2019-03-18 01:11:35 +00:00			`"CVE_data_meta": {`
			`"ASSIGNER": "security@apache.org",`
			`"DATE_PUBLIC": "2018-07-11T00:00:00",`
			`"ID": "CVE-2018-8024",`
			`"STATE": "PUBLIC"`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Apache Spark",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": "1.0.0 to 2.1.2"`
			`},`
			`{`
			`"version_value": "2.2.0 to 2.2.1"`
			`},`
			`{`
			`"version_value": "2.3.0"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "Apache Software Foundation"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
			`"description": {`
			`"description_data": [`
- Added submissions from Apache Spark from 2018-07-11. 2018-07-12 08:04:49 -04:00			`{`
"-Synchronized-Data." 2019-03-18 01:11:35 +00:00			`"lang": "eng",`
			`"value": "In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not."`
- Added submissions from Apache Spark from 2018-07-11. 2018-07-12 08:04:49 -04:00			`}`
"-Synchronized-Data." 2019-03-18 01:11:35 +00:00			`]`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "Cross-Site Scripting (XSS) Flaw"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://spark.apache.org/security.html#CVE-2018-8024",`
			`"refsource": "CONFIRM",`
			`"url": "https://spark.apache.org/security.html#CVE-2018-8024"`
			`},`
			`{`
			`"name": "[dev] 20180711 CVE-2018-8024 Apache Spark XSS vulnerability in UI",`
			`"refsource": "MLIST",`
			`"url": "https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3E"`
			`}`
			`]`
			`}`
			`}`