BIT-spark-2022-31777
Cross-site Scripting (XSS) vulnerability in spark-core (Maven)
What is BIT-spark-2022-31777 About?
This is a stored Cross-site Scripting (XSS) vulnerability found in Apache Spark versions 3.2.1 and earlier, and 3.3.0. It allows remote attackers to execute arbitrary JavaScript in a user's web browser by injecting malicious payloads into logs. Exploitation is relatively simple, requiring the attacker to introduce malicious data into Spark logs.
Affected Software
- org.apache.spark:spark-core
- >3.3.0, <3.3.1
- <3.2.2
- pyspark
- >3.3.0, <3.3.1
- <3.2.2
Technical Details
The Apache Spark web UI, in versions 3.2.1 and earlier, and 3.3.0, is susceptible to a stored Cross-site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code into the Spark application's logs. This can be achieved by, for example, causing an exception with a crafted error message, or by submitting data that gets directly logged and is not properly sanitized. When a legitimate user views these logs through the Spark web UI, the stored malicious payload is rendered in their browser without proper input validation or output encoding. This causes the attacker's JavaScript to execute in the user's browser context, potentially leading to session hijacking, data theft, or defacement of the UI.
What is the Impact of BIT-spark-2022-31777?
Successful exploitation may allow attackers to execute arbitrary JavaScript code in the victim's browser, steal session cookies, deface web content, or perform actions on behalf of the victim.
What is the Exploitability of BIT-spark-2022-31777?
Exploitation of this XSS vulnerability ranges from low to medium complexity. An attacker needs to find a way to inject a malicious string into the Spark logs, which can often be achieved through various application inputs or error messages. No specific authentication or privilege is required for the XSS itself, though injecting data into logs might require some level of interaction with the Spark application. This is a remote vulnerability, as the victim views the malicious content via their web browser. The primary risk factor is the lack of proper input validation and output encoding of log data when displayed in the web UI, coupled with the potential for attackers to influence log content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-spark-2022-31777?
Available Upgrade Options
- pyspark
- <3.2.2 → Upgrade to 3.2.2
- pyspark
- >3.3.0, <3.3.1 → Upgrade to 3.3.1
- org.apache.spark:spark-core
- <3.2.2 → Upgrade to 3.2.2
- org.apache.spark:spark-core
- >3.3.0, <3.3.1 → Upgrade to 3.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-43xg-8wmj-cw8h
- http://www.openwall.com/lists/oss-security/2022/11/01/14
- https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q
- https://github.com/apache/spark
- https://nvd.nist.gov/vuln/detail/CVE-2022-31777
- http://www.openwall.com/lists/oss-security/2022/11/01/14
- https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q
- https://web.archive.org/web/20220728105026/https://issues.apache.org/jira/browse/SPARK-39505
- https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-42976.yaml
- https://github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871ad
What are Similar Vulnerabilities to BIT-spark-2022-31777?
Similar Vulnerabilities: CVE-2023-24998 , CVE-2023-28435 , CVE-2023-32971 , CVE-2023-39325 , CVE-2023-27906
