CVE-2018-8024
Description
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Spark UI vulnerable to cross-site scripting (XSS) via crafted URLs, affecting versions 2.1.0-2.1.2, 2.2.0-2.2.1, and 2.3.0.
Vulnerability
Apache Spark versions 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0 are vulnerable to a reflected cross-site scripting (XSS) issue [1][2]. A malicious user can craft a URL pointing to the Spark cluster's UI job and stage info pages that includes malicious script. When a user accesses the crafted URL, the script executes in the context of the victim's browser session.
Exploitation
An attacker must trick a user into clicking a specially crafted URL. The victim must be using a browser that does not block this type of attack; recent versions of Chrome and Safari block it, but Firefox (and possibly others) do not [2]. No authentication is required beyond accessing the UI (which may be exposed to the network).
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the Spark UI domain. This can lead to information disclosure from the user's view of the Spark UI, potentially exposing sensitive data such as job configurations, logs, or credentials displayed in the UI [1][2].
Mitigation
Apache Spark has released fixed versions: 2.1.3, 2.2.2, and later versions (2.3.1 and beyond) address the issue [3]. Users should upgrade to these versions. If upgrading is not possible, restrict access to the Spark UI to trusted networks only [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-core_2.10Maven | >= 2.1.0, < 2.1.3 | 2.1.3 |
org.apache.spark:spark-core_2.10Maven | >= 2.2.0, < 2.2.2 | 2.2.2 |
org.apache.spark:spark-core_2.11Maven | >= 2.1.0, < 2.1.3 | 2.1.3 |
org.apache.spark:spark-core_2.11Maven | >= 2.2.0, < 2.2.2 | 2.2.2 |
org.apache.spark:spark-core_2.11Maven | >= 2.3.0, < 2.3.1 | 2.3.1 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/firefoxpkg:apk/wolfi/firefoxpkg:maven/org.apache.spark/spark-core_2.10pkg:maven/org.apache.spark/spark-core_2.11
< 136.0.2-r0+ 3 more
- (no CPE)range: < 136.0.2-r0
- (no CPE)range: < 136.0.2-r0
- (no CPE)range: >= 2.1.0, < 2.1.3
- (no CPE)range: >= 2.1.0, < 2.1.3
- Apache Software Foundation/Apache Sparkv5Range: 1.0.0 to 2.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8cw6-5qvp-q3wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8024ghsaADVISORY
- lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba%40%3Cdev.spark.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/5f241d2cda21cbcb3b63e46e474cf5f50cce66927f08399f4fab0aba@%3Cdev.spark.apache.org%3EghsaWEB
- spark.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.