-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update CVE-2018-8024 to add apache spark fix versions and remove firefox
Signed-off-by: Weston Steimel <[email protected]>
- Loading branch information
1 parent
504d676
commit af0bca7
Showing
1 changed file
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
{ | ||
"additionalMetadata": { | ||
"cna": "apache", | ||
"cveId": "CVE-2018-8024", | ||
"description": "In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.", | ||
"reason": "Add Apache Spark fixed versions and remove Firefox as an affected component", | ||
"references": [ | ||
"https://lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3E", | ||
"https://spark.apache.org/security.html#CVE-2018-8024" | ||
] | ||
}, | ||
"adp": { | ||
"affected": [ | ||
{ | ||
"cpes": [ | ||
"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*" | ||
], | ||
"product": "Apache Spark", | ||
"vendor": "Apache Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "2.1.3", | ||
"status": "affected", | ||
"version": "1.0.0", | ||
"versionType": "custom" | ||
}, | ||
{ | ||
"lessThan": "2.2.2", | ||
"status": "affected", | ||
"version": "2.2.0", | ||
"versionType": "custom" | ||
}, | ||
{ | ||
"lessThan": "2.3.1", | ||
"status": "affected", | ||
"version": "2.3.0", | ||
"versionType": "custom" | ||
} | ||
] | ||
}, | ||
{ | ||
"collectionURL": "https://repo.maven.apache.org", | ||
"cpes": [ | ||
"cpe:2.3:a:org.apache.spark:spark-core_2.10:*:*:*:*:*:*:*:*" | ||
], | ||
"packageName": "org.apache.spark:spark-core_2.10", | ||
"packageType": "maven", | ||
"product": "org.apache.spark:spark-core_2.10", | ||
"vendor": "Apache Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "2.1.3", | ||
"status": "affected", | ||
"version": "1.0.0", | ||
"versionType": "custom" | ||
}, | ||
{ | ||
"lessThan": "2.2.2", | ||
"status": "affected", | ||
"version": "2.2.0", | ||
"versionType": "custom" | ||
} | ||
] | ||
}, | ||
{ | ||
"collectionURL": "https://repo.maven.apache.org", | ||
"cpes": [ | ||
"cpe:2.3:a:org.apache.spark:spark-core_2.11:*:*:*:*:*:*:*:*" | ||
], | ||
"packageName": "org.apache.spark:spark-core_2.11", | ||
"packageType": "maven", | ||
"product": "org.apache.spark:spark-core_2.11", | ||
"vendor": "Apache Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "2.1.3", | ||
"status": "affected", | ||
"version": "1.0.0", | ||
"versionType": "custom" | ||
}, | ||
{ | ||
"lessThan": "2.2.2", | ||
"status": "affected", | ||
"version": "2.2.0", | ||
"versionType": "custom" | ||
}, | ||
{ | ||
"lessThan": "2.3.1", | ||
"status": "affected", | ||
"version": "2.3.0", | ||
"versionType": "custom" | ||
} | ||
] | ||
} | ||
], | ||
"providerMetadata": { | ||
"orgId": "00000000-0000-4000-8000-000000000000", | ||
"shortName": "anchoreadp" | ||
} | ||
} | ||
} |