{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31777", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T07:26:01.073Z", "dateReserved": "2022-05-27T00:00:00", "datePublished": "2022-11-01T00:00:00"}, "containers": {"cna": {"affected": [{"product": "Apache Spark", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "3.3.0"}, {"lessThanOrEqual": "3.2.1", "status": "affected", "version": "3.2.1 and earlier", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Florian Walter (Veracode)"}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-11-21T10:47:08.273Z"}, "references": [{"url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"}, {"name": "[oss-security] 20221101 CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"}], "source": {"defect": ["SPARK-39505"], "discovery": "UNKNOWN"}, "title": "Apache Spark XSS vulnerability in log viewer UI Javascript", "workarounds": [{"lang": "en", "value": "Upgrade to Apache Spark maintenance releases 3.2.2, or 3.3.1 or later"}], "x_generator": {"engine": "Vulnogram 0.0.9"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:01.073Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q", "tags": ["x_transferred"]}, {"name": "[oss-security] 20221101 CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9E7146B-73E4-4CB5-89EC-4DDC270B2786", "versionEndExcluding": "3.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:spark:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2797321B-479D-45EF-A50F-0EC8C5500761", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en Apache Spark 3.2.1 y anteriores, y 3.3.0, permite a atacantes remotos ejecutar JavaScript arbitrario en el navegador web de un usuario, al incluir un payload malicioso en los registros que ser\u00edan devuelto en registros representados en la interfaz de usuario."}], "id": "CVE-2022-31777", "lastModified": "2024-11-21T07:05:17.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-01T16:15:13.367", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2022/11/01/14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6q"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "apache-spark", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "apache-spark: XSS vulnerability in log viewer UI Javascript", "id": "2145264", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145264"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-74", "details": ["A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.", "A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI."], "name": "CVE-2022-31777", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "apache-spark", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "apache-spark", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "apache-spark", "product_name": "Red Hat Integration Camel Quarkus 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "apache-spark", "product_name": "Red Hat JBoss Data Grid 7"}], "public_date": "2022-11-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31777\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31777"], "threat_severity": "Moderate"}