CVE-2018-8024

Name of the Vulnerable Software and Affected Versions: Apache Spark versions 2.1.0 through 2.1.2 Apache Spark versions 2.2.0 through 2.2.1 Apache Spark version 2.3.0

Description: A malicious user can construct a URL pointing to a Spark cluster's UI's job and stage info pages. If a user is tricked into accessing the URL, it can be used to cause script to execute and expose information from the user's view of the Spark UI. Some browsers, like recent versions of Chrome and Safari, can block this type of attack, but current versions of Firefox (and possibly others) cannot.

Recommendations: For Apache Spark versions 2.1.0 through 2.1.2, consider disabling access to the job and stage info pages in the Spark UI until a patch is available. For Apache Spark versions 2.2.0 through 2.2.1, consider disabling access to the job and stage info pages in the Spark UI until a patch is available. For Apache Spark version 2.3.0, consider disabling access to the job and stage info pages in the Spark UI until a patch is available. As a temporary workaround, consider restricting access to the Spark UI to minimize the risk of exploitation.