CVE-2018-9159
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-9159
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-9159.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-9159
- Aliases
- Downstream
- Related
- Published
- 2018-03-31T21:29:00Z
- Modified
- 2025-10-15T10:03:23.200622Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.
- References
-
- http://sparkjava.com/news#spark-272-released
- https://access.redhat.com/errata/RHSA-2018:2020
- https://access.redhat.com/errata/RHSA-2018:2405
- https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668
- https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd
- https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc
- https://github.com/perwendel/spark/issues/981
Affected packages
Git / github.com/perwendel/spark
Affected ranges
- Type
- GIT
- Repo
- https://github.com/perwendel/spark
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
0.*
0.9.9.4
1.*
1.0
1.1
1.1.1
1.1.2
2.*
2.0.0
2.1
2.2
2.3
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.7.0
2.7.1
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"function": "ClassPathResource",
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc",
"digest": {
"length": 300.0,
"function_hash": "274702336924059045220315384900798018436"
},
"deprecated": false,
"id": "CVE-2018-9159-0742679b",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "create",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 521.0,
"function_hash": "219633218909508915481604138220538051052"
},
"deprecated": false,
"id": "CVE-2018-9159-4ee58890",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc",
"digest": {
"threshold": 0.9,
"line_hashes": [
"133574792449731335973132868950198151485",
"257335335481046230452541955730993069407",
"146347350014249225707936122791708957197",
"27037493179672744181024679700312450242",
"313803090016706940698633496826837476773",
"33798052502027166477155591057003484516",
"35951155358591919279284354601871982735",
"50891235107509836565086710491809777914",
"227746082498725766585249290947778507819",
"78643588118164563811600209927503611429",
"128518321016854476958753224378072799421",
"102303229732135921039883977462325960838",
"316169523400522485333593800826273965365",
"307550373801888361413622648419519866793",
"149347804708953280852197626847695323069",
"97092449092396147546741741262192161355",
"75354933614802155443685682540736087169",
"6225964087671448554189277302471068652",
"128911233388898022081993511526637797934",
"20582418890213729740817369797123023759",
"86637881585553651381575599551793686071",
"95616049086595697315593951527548584110",
"309040912853249409675696415388210279379",
"181339899984622736611298041871185218368",
"32749052534756466232436631032614112002",
"148701747064394071540242646322172657629",
"235891000172328819522632093526256659730",
"10790970577727228227156164546475958632",
"296426743375805939393225872531094909024",
"317946392185310770365500093109003751912",
"94998173725053777680939313577048355562"
]
},
"deprecated": false,
"id": "CVE-2018-9159-55525914",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "src/test/java/spark/examples/staticresources/StaticResources.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"threshold": 0.9,
"line_hashes": [
"79044289685893448828556408087668939929",
"146671743541681319602796040391763348176",
"9923588346558998668865636485014071861",
"233455152842927483800061477439479287087",
"122891342578570406157162985985503480276",
"57847457026306637878891409164820504137"
]
},
"deprecated": false,
"id": "CVE-2018-9159-5c0f7f16",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "create_withThreadPool",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 549.0,
"function_hash": "179213600700823365691695209879720642924"
},
"deprecated": false,
"id": "CVE-2018-9159-63130b8f",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "create",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 521.0,
"function_hash": "219633218909508915481604138220538051052"
},
"deprecated": false,
"id": "CVE-2018-9159-6468306d",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "doesNotContainFileColon",
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 74.0,
"function_hash": "229579973618335073010886728770567009828"
},
"deprecated": false,
"id": "CVE-2018-9159-6997da3d",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/test/java/spark/examples/staticresources/StaticResources.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"threshold": 0.9,
"line_hashes": [
"79044289685893448828556408087668939929",
"146671743541681319602796040391763348176",
"9923588346558998668865636485014071861",
"233455152842927483800061477439479287087",
"122891342578570406157162985985503480276",
"57847457026306637878891409164820504137"
]
},
"deprecated": false,
"id": "CVE-2018-9159-6dcf90ab",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "create_withNullThreadPool",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 541.0,
"function_hash": "120874310715886771716198509071211151694"
},
"deprecated": false,
"id": "CVE-2018-9159-7b08928e",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "main",
"file": "src/test/java/spark/examples/staticresources/StaticResources.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 139.0,
"function_hash": "64113376251264012390907345139382319409"
},
"deprecated": false,
"id": "CVE-2018-9159-9037907a",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"threshold": 0.9,
"line_hashes": [
"87684921832241687655918292211404016033",
"203302334733713338374274547450383163040",
"113977888416467995475895392042005865798",
"21927431905462535650519807918157491603",
"109893655024287940479510345397907846048",
"286049604279402165989529531468170763352",
"197026777102521465984156477188169581391",
"243611144339414696933723193260786826758",
"250061207768756530094767290408518415088",
"109840624392325360607145220768160060738",
"161635664085484397923725767185940645384",
"144773806321077148415617847768478621991",
"4347417068422738849648497407623805833",
"16953184574559664618845260413091234815",
"127201986570462198472398664917130125250",
"150457341653248163634371547278868393298",
"207811836463165821768205397610717725711",
"262979691645198576983505896010398452855",
"210348588525144921477800355477223308613",
"289202858452058403346943218127179283341",
"236914022717968287801981081482619168845",
"109840624392325360607145220768160060738",
"304520771673068591326627680622927800585",
"43298933005894150647276526513891420220",
"322468652947825938955004406889543915776",
"286583568098876652245465404422758834568",
"127201986570462198472398664917130125250",
"150457341653248163634371547278868393298",
"42360580988981891095812930143999256984",
"41813541162666565704516703163454305271",
"316304691304349232277688092453454538288",
"181157380099642672367145798355441124597",
"255074620180927161392556015134125008215"
]
},
"deprecated": false,
"id": "CVE-2018-9159-952a0d13",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "create_withNullThreadPool",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 541.0,
"function_hash": "120874310715886771716198509071211151694"
},
"deprecated": false,
"id": "CVE-2018-9159-95b6d256",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"threshold": 0.9,
"line_hashes": [
"86338898302799134317004704633949531730",
"246007829359782286723457869738016452538",
"77488092609406731583216030235522864998",
"309862899411657841201371493812586809577",
"148800470129033171362188369011312650604",
"178048244493998185861343722394331395268",
"318106029286125956235210808608392703608",
"238528561277607759608676991767827207371",
"105765673471306735563995424288568153921",
"299683914653507249700997292524093176130",
"111544296669309098648885990631183054565",
"203636115368687859759167628973491452716",
"115334725157305393877678767885727777493",
"235891000172328819522632093526256659730",
"10790970577727228227156164546475958632",
"296426743375805939393225872531094909024",
"317946392185310770365500093109003751912",
"94998173725053777680939313577048355562"
]
},
"deprecated": false,
"id": "CVE-2018-9159-9d77223f",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "ClassPathResource",
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 377.0,
"function_hash": "303368326149750333144831279750599636055"
},
"deprecated": false,
"id": "CVE-2018-9159-9d95c2f0",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"threshold": 0.9,
"line_hashes": [
"87684921832241687655918292211404016033",
"203302334733713338374274547450383163040",
"113977888416467995475895392042005865798",
"21927431905462535650519807918157491603",
"109893655024287940479510345397907846048",
"286049604279402165989529531468170763352",
"197026777102521465984156477188169581391",
"243611144339414696933723193260786826758",
"250061207768756530094767290408518415088",
"109840624392325360607145220768160060738",
"161635664085484397923725767185940645384",
"144773806321077148415617847768478621991",
"4347417068422738849648497407623805833",
"16953184574559664618845260413091234815",
"127201986570462198472398664917130125250",
"150457341653248163634371547278868393298",
"207811836463165821768205397610717725711",
"262979691645198576983505896010398452855",
"210348588525144921477800355477223308613",
"289202858452058403346943218127179283341",
"236914022717968287801981081482619168845",
"109840624392325360607145220768160060738",
"304520771673068591326627680622927800585",
"43298933005894150647276526513891420220",
"322468652947825938955004406889543915776",
"286583568098876652245465404422758834568",
"127201986570462198472398664917130125250",
"150457341653248163634371547278868393298",
"42360580988981891095812930143999256984",
"41813541162666565704516703163454305271",
"316304691304349232277688092453454538288",
"181157380099642672367145798355441124597",
"255074620180927161392556015134125008215"
]
},
"deprecated": false,
"id": "CVE-2018-9159-b68cb132",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "create_withThreadPool",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 549.0,
"function_hash": "179213600700823365691695209879720642924"
},
"deprecated": false,
"id": "CVE-2018-9159-c34e2cae",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "tearDown",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 101.0,
"function_hash": "95696730264757576704280536816030987842"
},
"deprecated": false,
"id": "CVE-2018-9159-c365d6de",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "tearDown",
"file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 101.0,
"function_hash": "95696730264757576704280536816030987842"
},
"deprecated": false,
"id": "CVE-2018-9159-d15e94c8",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"threshold": 0.9,
"line_hashes": [
"86338898302799134317004704633949531730",
"246007829359782286723457869738016452538",
"77488092609406731583216030235522864998",
"309862899411657841201371493812586809577",
"148800470129033171362188369011312650604",
"178048244493998185861343722394331395268",
"318106029286125956235210808608392703608",
"238528561277607759608676991767827207371",
"105765673471306735563995424288568153921",
"299683914653507249700997292524093176130",
"111544296669309098648885990631183054565",
"203636115368687859759167628973491452716",
"115334725157305393877678767885727777493",
"235891000172328819522632093526256659730",
"10790970577727228227156164546475958632",
"296426743375805939393225872531094909024",
"317946392185310770365500093109003751912",
"94998173725053777680939313577048355562"
]
},
"deprecated": false,
"id": "CVE-2018-9159-d83c35b7",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "main",
"file": "src/test/java/spark/examples/staticresources/StaticResources.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 139.0,
"function_hash": "64113376251264012390907345139382319409"
},
"deprecated": false,
"id": "CVE-2018-9159-e0b78b55",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "ClassPathResource",
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd",
"digest": {
"length": 377.0,
"function_hash": "303368326149750333144831279750599636055"
},
"deprecated": false,
"id": "CVE-2018-9159-e0fcb3cc",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "doesNotContainFileColon",
"file": "src/main/java/spark/resource/ClassPathResource.java"
},
"source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668",
"digest": {
"length": 74.0,
"function_hash": "229579973618335073010886728770567009828"
},
"deprecated": false,
"id": "CVE-2018-9159-f865cd5b",
"signature_type": "Function"
}
]