Apache Spark Build Process Exposes Sensitive File Information
CVE-2018-11804

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Spark
Vendor
CVE Published:
24 October 2018

What is CVE-2018-11804?

Apache Spark features a convenience script, 'build/mvn', which facilitates a faster compilation by leveraging a zinc server. Unfortunately, this zinc server is configured to accept connections from external hosts by default, leading to a potential risk of exposing sensitive information. A crafted request to the server could allow unauthorized access to files that are readable by the developer account executing the build process. This issue uniquely impacts developers who are building Apache Spark from source, rather than end-users of the software. Timely updates and proper configuration are vital to mitigate the risks associated with this vulnerability.

Affected Version(s)

Apache Spark 1.3.0 < 3.*

References

https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f7...
mailing-listx_refsource_MLIST
https://spark.apache.org/security.html#CVE-2018-11804
x_refsource_CONFIRM
http://www.securityfocus.com/bid/105756
vdb-entryx_refsource_BID

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.