spark-webui-unauth: Unauthenticated Spark WebUI

漏洞描述

PoC代码[已公开]

id: spark-webui-unauth

info:
  name: Unauthenticated Spark WebUI
  author: princechaddha
  severity: medium
  description: Spark WebUI is exposed to external users without any authentication.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/spark/unacc
  metadata:
    max-request: 1
  tags: unauth,vulhub,spark,misconfig,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "<title>Spark Master at spark://"
          - "<strong>URL:</strong>"
        part: body
        condition: and
# digest: 490a00463044022038656b164ade62059193dde865f17a96b882726297473aa1c0b6fca7cfd70c0302201fa19083ef39e6016b90e4b0ddc8fefc9fd4eaee5253e30b90c7d0bcf6642420:922c64590222798bb761d5b6d8e72950

相关漏洞推荐

• POC CVE-2024-2862: LG LED Assistant - Unauthenticated Password Reset
• POC jboss-jmx-console-unauth: JBoss JMX Console - Unauthenticated Access
• POC wp-better-wp-security-login-disclosure: WordPress Solid Security < 9.0.1 - Unauthenticated Login Page Disclosure
• POC CVE-2019-17671: WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts
• POC CVE-2025-34299: Monsta FTP <= 2.11.2 - Unauthenticated Remote Code Execution
• POC CVE-2020-11732: Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion
• POC CVE-2021-36888: WordPress Image Hover Ultimate - Unauthenticated Settings Update
• POC CVE-2021-4449: ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
• POC CVE-2021-4462: Employee Records System 1.0 - Unauthenticated File Upload RCE
• POC CVE-2022-28666: Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
• POC CVE-2022-33198: WordPress Accordions - Unauthenticated Settings Update
• POC CVE-2022-34487: ShortCode Addons - Unauthenticated Options Update
• POC CVE-2023-41954: ProfilePress <= 4.13.1 — Unauthenticated Privilege Escalation