You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Sean Owen (JIRA)" <ji...@apache.org> on 2019/03/29 20:03:00 UTC

[jira] [Resolved] (SPARK-27172) CRLF Injection/HTTP response splitting on spark embedded jetty servlet.

     [ https://issues.apache.org/jira/browse/SPARK-27172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Owen resolved SPARK-27172.
-------------------------------
    Resolution: Won't Fix

Spark 1.6 has been EOL for years

> CRLF Injection/HTTP response splitting on spark embedded jetty servlet.
> -----------------------------------------------------------------------
>
>                 Key: SPARK-27172
>                 URL: https://issues.apache.org/jira/browse/SPARK-27172
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Web UI
>    Affects Versions: 1.6.2
>            Reporter: Jerry Garcia
>            Priority: Major
>
> Can we upgrade embedded jetty servlet on spark 1.6.2? Will there be any dependencies that will affected if we do upgrade it? Reason for doing this is  we would like to the patch the vulnerability that was scanned, which is the CRLF injection attacks. Please do refer below information.
> Description:
> This script is possibly vulnerable to CRLF injection attacks. HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure. HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.
>  CWE #;
> CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org