[jira] [Updated] (LIVY-895) Livy service improper error handling

Mon, 10 Nov 2025 09:14:20 -0800 


     [ 
https://issues.apache.org/jira/browse/LIVY-895?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gyorgy Gal updated LIVY-895:
----------------------------
    Fix Version/s: 0.10.0
                       (was: 0.9.0)

This issue has been moved to the 0.10.0 release as part of a bulk update. If 
you feel this is moved out inappropriately, feel free to provide justification 
and reset the Fix Version to 0.9.0.

> Livy service improper error handling
> ------------------------------------
>
>                 Key: LIVY-895
>                 URL: https://issues.apache.org/jira/browse/LIVY-895
>             Project: Livy
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 0.7.0
>            Reporter: Evelyn Liang
>            Priority: Major
>             Fix For: 0.10.0
>
>         Attachments: livy 500 sever error.rtf
>
>
> Affected API: POST /sessions
> Description: Application does not handle exceptions properly. When some junk 
> character is supplied to the parameter, it causes exception and server 
> responds with response code 500 which should not be visible to end user. It 
> was observed that throughout the applications and APIs in scope, JSON 
> parsers, XML parsers and the application server throws exceptions and stack 
> traces in several cases. 
> Risk:
> If an attacker probes the application by forging a request that contains 
> parameters or parameter values other than the ones expected by the 
> application, the application may enter an undefined state that makes it 
> vulnerable to attack. The attacker can gain useful 
> information from the application's response to this request, which 
> information may be exploited to locate application weaknesses.
> Fix:
> Check incoming requests for the presence of all expected parameters and 
> values. When a parameter is missing, issue a proper error message or use 
> default values. The application should verify that its input consists of 
> valid characters (after decoding). For example, an input value containing the 
> null byte (encoded as %00), apostrophe, quotes, etc. should be rejected. 
> Enforce values in their expected ranges and types. 
> Evidence:
> In the attachment
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to