Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2018-9159

Good to know:

icon
icon

Date: March 31, 2018

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.

Language: Java

Severity Score

Related Resources (11)

https://access.redhat.com/errata/RHSA-2018:2020
https://access.redhat.com/errata/RHSA-2018:2405
http://sparkjava.com/news#spark-272-released
https://github.com/perwendel/spark/issues/981
https://github.com/perwendel/spark
https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668
https://github.com/advisories/GHSA-76qr-mmh8-cp8f
https://nvd.nist.gov/vuln/detail/CVE-2018-9159
https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc
https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd
https://www.mend.io/vulnerability-database/CVE-2018-9159

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version com.sparkjava:spark-core:2.7.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us