Vulnerability Details : CVE-2018-11804
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
Products affected by CVE-2018-11804
- cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11804
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11804
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2018-11804
-
https://spark.apache.org/security.html#CVE-2018-11804
Security | Apache SparkMitigation;Vendor Advisory
-
http://www.securityfocus.com/bid/105756
Apache Spark CVE-2018-11804 Information Disclosure VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E
CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines-Apache Mail ArchivesMailing List;Third Party Advisory
Jump to