In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.spark:spark-core_2.11(Maven) | 0 | 2.2.0 | N/A |
| org.apache.spark:spark-core_2.10(Maven) | 0 | 2.2.0 | N/A |
CVSS Metrics
