This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 9fbf9cdf9 Add CVE-2022-31777
9fbf9cdf9 is described below
commit 9fbf9cdf924a103304619c8491c0596fb2c0349b
Author: Sean Owen <sro...@gmail.com>
AuthorDate: Tue Nov 1 10:24:21 2022 -0500
Add CVE-2022-31777
Author: Sean Owen <sro...@gmail.com>
Closes #426 from srowen/CVE202231777.
---
security.md | 26 ++++++++++++++++++++++++++
site/security.html | 31 +++++++++++++++++++++++++++++++
2 files changed, 57 insertions(+)
diff --git a/security.md b/security.md
index a4b470cd6..c648bbbe7 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,32 @@ non-public list that will reach the Apache Security team, as
well as the Spark P
<h2>Known security issues</h2>
+<h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log
viewer UI Javascript</h3>
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- 3.2.1 and earlier
+- 3.3.0
+
+Description:
+
+A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and
earlier, and 3.3.0, allows remote
+attackers to execute arbitrary JavaScript in the web browser of a user, by
including a malicious payload into
+the logs which would be returned in logs rendered in the UI.
+
+Mitigation:
+
+- Upgrade to Spark 3.2.2, or 3.3.1 or later
+
+Credit:
+
+- Florian Walter (Veracode)
+
+
<h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection
vulnerability via Spark UI</h3>
Severity: Important
diff --git a/site/security.html b/site/security.html
index b265ae8a6..31e772a67 100644
--- a/site/security.html
+++ b/site/security.html
@@ -133,6 +133,37 @@ non-public list that will reach the Apache Security team,
as well as the Spark P
<h2>Known security issues</h2>
+<h3 id="CVE-2022-31777">CVE-2022-31777: Apache Spark XSS vulnerability in log
viewer UI Javascript</h3>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected:</p>
+
+<ul>
+ <li>3.2.1 and earlier</li>
+ <li>3.3.0</li>
+</ul>
+
+<p>Description:</p>
+
+<p>A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and
earlier, and 3.3.0, allows remote
+attackers to execute arbitrary JavaScript in the web browser of a user, by
including a malicious payload into
+the logs which would be returned in logs rendered in the UI.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+ <li>Upgrade to Spark 3.2.2, or 3.3.1 or later</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+ <li>Florian Walter (Veracode)</li>
+</ul>
+
<h3 id="CVE-2022-33891">CVE-2022-33891: Apache Spark shell command injection
vulnerability via Spark UI</h3>
<p>Severity: Important</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org
