Vulnerabilities > CVE-2018-11804 - Unspecified vulnerability in Apache Spark

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

apache

NVD

Published: 2018-10-24

Updated: 2024-06-10

Summary

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Spark 2.3.0 Apache Spark 2.3.1 Apache Spark 2.3.2 Apache Spark 1.3.0 Apache Spark 1.3.1 Apache Spark 1.4.0 Apache Spark 1.4.1 Apache Spark 1.5.0 Apache Spark 1.5.1 Apache Spark 1.5.2 Apache Spark 1.6.0 Apache Spark 1.6.1 Apache Spark 1.6.2 Apache Spark 1.6.3 Apache Spark 2.0.0 Apache Spark 2.0.1 Apache Spark 2.0.2 Apache Spark 2.1.0 Apache Spark 2.1.1 Apache Spark 2.1.2 Apache Spark 2.1.3 Apache Spark 2.2.0 Apache Spark 2.2.1 Apache Spark 2.2.2	55

Summary

Vulnerable Configurations

References