Moderate severityNVD Advisory· Published Nov 1, 2022· Updated May 6, 2025

Apache Spark XSS vulnerability in log viewer UI Javascript

CVE-2022-31777

Description

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Spark 3.2.1 and earlier, and 3.3.0, contain a stored XSS vulnerability in the log viewer UI, allowing arbitrary JavaScript execution via malicious log payloads.

Vulnerability

Overview

CVE-2022-31777 is a stored cross-site scripting (XSS) vulnerability in Apache Spark's log viewer UI. The flaw exists because user-controllable log entries are rendered in the web interface without proper sanitization, allowing an attacker to inject arbitrary JavaScript into the browser session of any user viewing those logs [1][4].

Exploitation

An attacker who can cause a malicious payload to appear in Spark logs—for example, by submitting a job that logs crafted content—can trigger the XSS when an administrator or other user accesses the Spark UI's log viewer. No special network position is required beyond the ability to submit jobs or otherwise influence log output; the attack is stored and does not require user interaction beyond viewing the affected logs [4].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, or further actions within the Spark UI, potentially compromising the cluster's security [1][4].

Mitigation

Apache Spark has addressed this issue in maintenance releases 3.2.2 and 3.3.1. Users running affected versions (3.2.1 and earlier, or 3.3.0) should upgrade immediately. The PySpark package (via PyPI) is also affected and updated accordingly [3][4]. No workaround is available; upgrading is the recommended course of action.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pysparkPyPI	< 3.2.2	3.2.2
pysparkPyPI	>= 3.3.0, < 3.3.1	3.3.1
org.apache.spark:spark-core_2.9.3Maven	>= 0	—
org.apache.spark:spark-core_2.13Maven	< 3.2.2	3.2.2
org.apache.spark:spark-core_2.13Maven	>= 3.3.0, < 3.3.1	3.3.1
org.apache.spark:spark-core_2.12Maven	< 3.2.2	3.2.2
org.apache.spark:spark-core_2.12Maven	>= 3.3.0, < 3.3.1	3.3.1
org.apache.spark:spark-core_2.11Maven	>= 0	—
org.apache.spark:spark-core_2.10Maven	>= 0	—

Affected products

osv-coords7 versions
pkg:bitnami/spark pkg:maven/org.apache.spark/spark-core_2.10 pkg:maven/org.apache.spark/spark-core_2.11 pkg:maven/org.apache.spark/spark-core_2.12 pkg:maven/org.apache.spark/spark-core_2.13 pkg:maven/org.apache.spark/spark-core_2.9.3 pkg:pypi/pyspark
< 3.2.2+ 6 more
- (no CPE)range: < 3.2.2
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 3.2.2
- (no CPE)range: < 3.2.2
- (no CPE)range: >= 0
- (no CPE)range: < 3.2.2
Apache Software Foundation/Apache Sparkv5
Range: 3.3.0

Patches

ad90195de566

[SPARK-39505][UI] Escape log content rendered in UI

https://github.com/apache/sparkSean OwenJun 17, 2022via ghsa

commit

1 file changed · +2 −2

core/src/main/resources/org/apache/spark/ui/static/log-view.js+2 −2 modified

@@ -85,7 +85,7 @@ function loadMore() {
       if (retStartByte == 0) {
         disableMoreButton();
       }
-      $("pre", ".log-content").prepend(cleanData);
+      $("pre", ".log-content").prepend(document.createTextNode(cleanData));
 
       curLogLength = curLogLength + (startByte - retStartByte);
       startByte = retStartByte;
@@ -115,7 +115,7 @@ function loadNew() {
             var retLogLength = dataInfo[2];
 
             var cleanData = data.substring(newlineIndex + 1);
-            $("pre", ".log-content").append(cleanData);
+            $("pre", ".log-content").append(document.createTextNode(cleanData));
 
             curLogLength = curLogLength + (retEndByte - retStartByte);
             endByte = retEndByte;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-43xg-8wmj-cw8hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-31777ghsaADVISORY
www.openwall.com/lists/oss-security/2022/11/01/14ghsamailing-listWEB
github.com/apache/spark/commit/ad90195de56688ce0898691eb9d04297ab0871adghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2022-42976.yamlghsaWEB
lists.apache.org/thread/60mgbswq2lsmrxykfxpqq13ztkm2ht6qghsaWEB
web.archive.org/web/20220728105026/https://issues.apache.org/jira/browse/SPARK-39505ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000