Vulnerability Description
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spark | >= 1.3.0, < 2.2.3 |
References
- http://www.securityfocus.com/bid/105756Broken LinkThird Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f077843Mailing ListThird Party Advisory
- https://spark.apache.org/security.html#CVE-2018-11804MitigationVendor Advisory
- http://www.securityfocus.com/bid/105756Broken LinkThird Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f077843Mailing ListThird Party Advisory
- https://spark.apache.org/security.html#CVE-2018-11804MitigationVendor Advisory
FAQ
What is CVE-2018-11804?
CVE-2018-11804 is a vulnerability with a CVSS score of 7.5 (HIGH). Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to ...
How severe is CVE-2018-11804?
CVE-2018-11804 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-11804?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Spark.