CVE-2017-7678

medium Apache
CVSS v3 Base Score
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
1.4%
Exploitation probability in 30 days
Top 19% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
Low
Integrity
Low
Availability
None
Published: July 12, 2017 (3228 days ago)
Last Modified: May 13, 2026
Vendor: Apache
Source: NVD

Description

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.

CWE

CWE-79

Affected Products

apache spark

References

🔗 apache-spark-developers-list.1001551.n3.nabble.com 🔗 www.securityfocus.com 🔗 apache-spark-developers-list.1001551.n3.nabble.com 🔗 www.securityfocus.com