[
https://issues.apache.org/jira/browse/SPARK-27172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jerry Garcia updated SPARK-27172:
---------------------------------
Description:
Can we upgrade embedded jetty servlet on spark 1.6.2? Will there be any
dependencies that will affected if we do upgrade it? Reason for doing this is
we would like to the patch the vulnerability that was scanned, which is the
CRLF injection attacks. Please do refer below information.
Description:
This script is possibly vulnerable to CRLF injection attacks. HTTP headers have
the structure "Key: Value", where each line is separated by the CRLF
combination. If the user input is injected into the value section without
properly escaping/removing CRLF characters it is possible to alter the HTTP
headers structure. HTTP Response Splitting is a new application attack
technique which enables various new attacks such as web cache poisoning, cross
user defacement, hijacking pages with sensitive user information and cross-site
scripting (XSS). The attacker sends a single HTTP request that forces the web
server to form an output stream, which is then interpreted by the target as two
HTTP responses instead of one response.
CWE #;
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
Response Splitting')
was:
Can we upgrade embedded jetty servlet on spark 1.6.2? As per our vulnerability
scan embedded jetty servlet is vulnerable with CRLF injection attacks. Please
do refer below information.
Description:
This script is possibly vulnerable to CRLF injection attacks. HTTP headers have
the structure "Key: Value", where each line is separated by the CRLF
combination. If the user input is injected into the value section without
properly escaping/removing CRLF characters it is possible to alter the HTTP
headers structure. HTTP Response Splitting is a new application attack
technique which enables various new attacks such as web cache poisoning, cross
user defacement, hijacking pages with sensitive user information and cross-site
scripting (XSS). The attacker sends a single HTTP request that forces the web
server to form an output stream, which is then interpreted by the target as two
HTTP responses instead of one response.
CWE #;
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
Response Splitting')
> CRLF Injection/HTTP response splitting on spark embedded jetty servlet.
> -----------------------------------------------------------------------
>
> Key: SPARK-27172
> URL: https://issues.apache.org/jira/browse/SPARK-27172
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Web UI
> Affects Versions: 1.6.2
> Reporter: Jerry Garcia
> Priority: Major
>
> Can we upgrade embedded jetty servlet on spark 1.6.2? Will there be any
> dependencies that will affected if we do upgrade it? Reason for doing this is
> we would like to the patch the vulnerability that was scanned, which is the
> CRLF injection attacks. Please do refer below information.
> Description:
> This script is possibly vulnerable to CRLF injection attacks. HTTP headers
> have the structure "Key: Value", where each line is separated by the CRLF
> combination. If the user input is injected into the value section without
> properly escaping/removing CRLF characters it is possible to alter the HTTP
> headers structure. HTTP Response Splitting is a new application attack
> technique which enables various new attacks such as web cache poisoning,
> cross user defacement, hijacking pages with sensitive user information and
> cross-site scripting (XSS). The attacker sends a single HTTP request that
> forces the web server to form an output stream, which is then interpreted by
> the target as two HTTP responses instead of one response.
> CWE #;
> CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
> Response Splitting')
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
