Fluid Attacks Database

Description

Apache Spark vulnerable to Log Injection A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.spark:spark-core	>=0 <3.2.2 \|\| >=3.3.0 <3.3.1 \|\| >=3.3.0 <=3.3.0	3.2.2, 3.3.1
pypi	pyspark	>=0 <3.2.2 \|\| =3.3.0 \|\| >=3.3.0 <3.3.1	3.2.2, 3.3.1
maven	org.apache.spark:spark-core_2.13	>=0 <3.2.2 \|\| =3.3.0 \|\| >=3.3.0 <3.3.1	3.2.2, 3.3.1
maven	org.apache.spark:spark-core_2.10	>=0 <3.2.2	-
maven	org.apache.spark:spark-core_2.12	>=0 <3.2.2 \|\| =3.3.0 \|\| >=3.3.0 <3.3.1	3.2.2, 3.3.1
maven	org.apache.spark:spark-core_2.11	>=0 <3.2.2	-
maven	org.apache.spark:spark-core_2.9.3	>=0 <3.2.2	-

Aliases

1. CVE-2022-317772. NVD-2022-317773. OSV-2022-317774. GHSA-43xg-8wmj-cw8h5. GCVE-2022-31777

References

1. https://github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871ad2. https://github.com/apache/spark3. https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-42976.yaml4. https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q5. https://web.archive.org/web/20220728105026/https://issues.apache.org/jira/browse/SPARK-395056. http://www.openwall.com/lists/oss-security/2022/11/01/14