Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/105756 | Third Party Advisory VDB Entry |
https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E | Mailing List Third Party Advisory |
https://spark.apache.org/security.html#CVE-2018-11804 | Mitigation Vendor Advisory |
Configurations
History
31 Jan 2023, 18:56
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E - Mailing List, Third Party Advisory |
22 Nov 2022, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-10-24 18:29
Updated : 2023-12-10 12:44
NVD link : CVE-2018-11804
Mitre link : CVE-2018-11804
CVE.ORG link : CVE-2018-11804
JSON object : View
Products Affected
apache
- spark
CWE
CWE-20
Improper Input Validation