[
https://issues.apache.org/jira/browse/SPARK-27172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jerry Garcia updated SPARK-27172:
---------------------------------
Issue Type: Dependency upgrade (was: Question)
> CRLF Injection/HTTP response splitting on spark embedded jetty servlet.
> -----------------------------------------------------------------------
>
> Key: SPARK-27172
> URL: https://issues.apache.org/jira/browse/SPARK-27172
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Web UI
> Affects Versions: 1.6.2
> Reporter: Jerry Garcia
> Priority: Major
>
> Can we upgrade embedded jetty servlet on spark 1.6.2? As per our
> vulnerability scan embedded jetty servlet is vulnerable with CRLF injection
> attacks. Please do refer below information.
> Description:
> This script is possibly vulnerable to CRLF injection attacks. HTTP headers
> have the structure "Key: Value", where each line is separated by the CRLF
> combination. If the user input is injected into the value section without
> properly escaping/removing CRLF characters it is possible to alter the HTTP
> headers structure. HTTP Response Splitting is a new application attack
> technique which enables various new attacks such as web cache poisoning,
> cross user defacement, hijacking pages with sensitive user information and
> cross-site scripting (XSS). The attacker sends a single HTTP request that
> forces the web server to form an output stream, which is then interpreted by
> the target as two HTTP responses instead of one response.
> CWE #;
> CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
> Response Splitting')
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
