This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push: new 9fbf9cdf9 Add CVE-2022-31777 9fbf9cdf9 is described below commit 9fbf9cdf924a103304619c8491c0596fb2c0349b Author: Sean Owen <sro...@gmail.com> AuthorDate: Tue Nov 1 10:24:21 2022 -0500 Add CVE-2022-31777 Author: Sean Owen <sro...@gmail.com> Closes #426 from srowen/CVE202231777. --- security.md | 26 ++++++++++++++++++++++++++ site/security.html | 31 +++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/security.md b/security.md index a4b470cd6..c648bbbe7 100644 --- a/security.md +++ b/security.md @@ -18,6 +18,32 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript</h3> + +Severity: Medium + +Vendor: The Apache Software Foundation + +Versions Affected: + +- 3.2.1 and earlier +- 3.3.0 + +Description: + +A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote +attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into +the logs which would be returned in logs rendered in the UI. + +Mitigation: + +- Upgrade to Spark 3.2.2, or 3.3.1 or later + +Credit: + +- Florian Walter (Veracode) + + <h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI</h3> Severity: Important diff --git a/site/security.html b/site/security.html index b265ae8a6..31e772a67 100644 --- a/site/security.html +++ b/site/security.html @@ -133,6 +133,37 @@ non-public list that will reach the Apache Security team, as well as the Spark P <h2>Known security issues</h2> +<h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript</h3> + +<p>Severity: Medium</p> + +<p>Vendor: The Apache Software Foundation</p> + +<p>Versions Affected:</p> + +<ul> + <li>3.2.1 and earlier</li> + <li>3.3.0</li> +</ul> + +<p>Description:</p> + +<p>A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote +attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into +the logs which would be returned in logs rendered in the UI.</p> + +<p>Mitigation:</p> + +<ul> + <li>Upgrade to Spark 3.2.2, or 3.3.1 or later</li> +</ul> + +<p>Credit:</p> + +<ul> + <li>Florian Walter (Veracode)</li> +</ul> + <h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI</h3> <p>Severity: Important</p> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org