{ "threat_severity" : "Moderate", "public_date" : "2022-11-01T00:00:00Z", "bugzilla" : { "description" : "apache-spark: XSS vulnerability in log viewer UI Javascript", "id" : "2145264", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2145264" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-74", "details" : [ "A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.", "A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI." ], "affected_release" : [ { "product_name" : "RHINT Camel-Springboot 3.20.1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2100", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1", "package" : "apache-spark" } ], "package_state" : [ { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "apache-spark", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "apache-spark", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Will not fix", "package_name" : "apache-spark", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "apache-spark", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-31777\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31777" ], "name" : "CVE-2022-31777", "csaw" : false }