Veracode Vulnerability DatabaseVERACODE:7646Information Disclosure
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
Apache Spark is vulnerable to information disclosure. The convenience script build/mvn runs a zinc server which will accept connections from external hosts by default. This vulnerability affects developers when building Spark from source code. A specially crafted request to the zinc server will reveal information within files accessible by the developer account. This vulnerability does not affect end users of Spark.
| CPE | Name | Operator | Version |
|---|---|---|---|
| spark project parent pom | le | 2.3.2 | |
| spark project parent pom | le | 2.3.2 |
References
www.securityfocus.com/bid/105756
github.com/apache/spark/commit/ac586bbb016d70c60b1bd2ea5320fd56c3a8eead
lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E
lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@%3Cdev.spark.apache.org%3E
spark.apache.org/security.html#CVE-2018-11804
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N