CVE-2017-7678

Name of the Vulnerable Software and Affected Versions Apache Spark versions prior to 2.2.0

Description The issue allows an attacker to trick users into visiting a malicious link that submits data, including MHTML, to the Spark master or history server. This data could contain a script that would be reflected back to the user and potentially executed by MS Windows-based clients when viewing elements of the Spark web UIs. The attack exploits the user's trust in the server.

Recommendations For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Spark web UIs to minimize the risk of exploitation. Avoid clicking on untrusted links that point to shared Spark clusters.