Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2021/02/20/1 | Mailing List Patch Third Party Advisory |
https://github.com/apache/incubator-livy/commit/4d8a912699683b973eee76d4e91447d769a0cb0d | Patch Third Party Advisory |
https://lists.apache.org/thread.html/r2db14e7fd1e5ec2519e8828d43529bad623d75698cc7918af3a3f3ed%40%3Cuser.livy.apache.org%3E | Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2021-02-20T09:00:15
Updated: 2021-02-20T09:06:39
Reserved: 2021-02-01T00:00:00
Link: CVE-2021-26544
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-02-20T09:15:12.377
Modified: 2021-02-26T14:18:56.573
Link: CVE-2021-26544
JSON object: View
Redhat Information
No data.
CWE