CVE-2018-11804: Input Validation
First published: Wed Oct 24 2018(Updated: )
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Spark | >=1.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-11804?
CVE-2018-11804 is a vulnerability in Apache Spark's Maven-based build that allows external hosts to connect to a zinc server by default.
What is the severity of CVE-2018-11804?
CVE-2018-11804 has a severity rating of 7.5 (high).
How does CVE-2018-11804 affect Apache Spark?
CVE-2018-11804 affects Apache Spark versions 1.3.x and above, including the master branch.
How can I fix CVE-2018-11804?
To fix CVE-2018-11804, update to a version of Apache Spark that includes the necessary security patches.
Where can I find more information about CVE-2018-11804?
More information about CVE-2018-11804 can be found on the Apache Spark website.
- collector/nvd-index
- agent/type
- vendor/apache
- canonical/apache spark
- version/apache spark/1.3.0