CVE-2018-11804 Information

Description

Spark’s Apache Maven-based build includes a convenience script ‘build/mvn’ that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark only developers building Spark from source code.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.securityfocus.com/bid/105756 https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@3Cdev.spark.apache.org3E https://spark.apache.org/security.htmlCVE-2018-11804

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5