A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| pyspark(PyPI) | 0 | 3.2.2 | N/A |
| pyspark(PyPI) | 3.3.0 | 3.3.1 | N/A |
| org.apache.spark:spark-core_2.9.3(Maven) | 0 | N/A | N/A |
| org.apache.spark:spark-core_2.13(Maven) | 0 | 3.2.2 | N/A |
| org.apache.spark:spark-core_2.13(Maven) | 3.3.0 | 3.3.1 | N/A |
| org.apache.spark:spark-core_2.12(Maven) | 0 | 3.2.2 | N/A |
| org.apache.spark:spark-core_2.12(Maven) | 3.3.0 | 3.3.1 | N/A |
| org.apache.spark:spark-core_2.11(Maven) | 0 | N/A | N/A |
| org.apache.spark:spark-core_2.10(Maven) | 0 | N/A | N/A |
CVSS Metrics
