CVE-2018-9159

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-9159
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-9159.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-9159
Aliases
Downstream
Related
Published
2018-03-31T21:29:00Z
Modified
2025-09-19T10:10:57.425760Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.

References

Affected packages

Git / github.com/perwendel/spark

Affected ranges

Type
GIT
Repo
https://github.com/perwendel/spark
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed

Affected versions

0.*

0.9.9.4

1.*

1.0
1.1
1.1.1
1.1.2

2.*

2.0.0
2.1
2.2
2.3
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.7.0
2.7.1

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2018-9159-0742679b",
            "signature_type": "Function",
            "digest": {
                "function_hash": "274702336924059045220315384900798018436",
                "length": 300.0
            },
            "target": {
                "file": "src/main/java/spark/resource/ClassPathResource.java",
                "function": "ClassPathResource"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc"
        },
        {
            "id": "CVE-2018-9159-4ee58890",
            "signature_type": "Function",
            "digest": {
                "function_hash": "219633218909508915481604138220538051052",
                "length": 521.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "create"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-55525914",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "133574792449731335973132868950198151485",
                    "257335335481046230452541955730993069407",
                    "146347350014249225707936122791708957197",
                    "27037493179672744181024679700312450242",
                    "313803090016706940698633496826837476773",
                    "33798052502027166477155591057003484516",
                    "35951155358591919279284354601871982735",
                    "50891235107509836565086710491809777914",
                    "227746082498725766585249290947778507819",
                    "78643588118164563811600209927503611429",
                    "128518321016854476958753224378072799421",
                    "102303229732135921039883977462325960838",
                    "316169523400522485333593800826273965365",
                    "307550373801888361413622648419519866793",
                    "149347804708953280852197626847695323069",
                    "97092449092396147546741741262192161355",
                    "75354933614802155443685682540736087169",
                    "6225964087671448554189277302471068652",
                    "128911233388898022081993511526637797934",
                    "20582418890213729740817369797123023759",
                    "86637881585553651381575599551793686071",
                    "95616049086595697315593951527548584110",
                    "309040912853249409675696415388210279379",
                    "181339899984622736611298041871185218368",
                    "32749052534756466232436631032614112002",
                    "148701747064394071540242646322172657629",
                    "235891000172328819522632093526256659730",
                    "10790970577727228227156164546475958632",
                    "296426743375805939393225872531094909024",
                    "317946392185310770365500093109003751912",
                    "94998173725053777680939313577048355562"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "src/main/java/spark/resource/ClassPathResource.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc"
        },
        {
            "id": "CVE-2018-9159-5c0f7f16",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "79044289685893448828556408087668939929",
                    "146671743541681319602796040391763348176",
                    "9923588346558998668865636485014071861",
                    "233455152842927483800061477439479287087",
                    "122891342578570406157162985985503480276",
                    "57847457026306637878891409164820504137"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "src/test/java/spark/examples/staticresources/StaticResources.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        },
        {
            "id": "CVE-2018-9159-63130b8f",
            "signature_type": "Function",
            "digest": {
                "function_hash": "179213600700823365691695209879720642924",
                "length": 549.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "create_withThreadPool"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-6468306d",
            "signature_type": "Function",
            "digest": {
                "function_hash": "219633218909508915481604138220538051052",
                "length": 521.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "create"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        },
        {
            "id": "CVE-2018-9159-6dcf90ab",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "79044289685893448828556408087668939929",
                    "146671743541681319602796040391763348176",
                    "9923588346558998668865636485014071861",
                    "233455152842927483800061477439479287087",
                    "122891342578570406157162985985503480276",
                    "57847457026306637878891409164820504137"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "src/test/java/spark/examples/staticresources/StaticResources.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-7b08928e",
            "signature_type": "Function",
            "digest": {
                "function_hash": "120874310715886771716198509071211151694",
                "length": 541.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "create_withNullThreadPool"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-9037907a",
            "signature_type": "Function",
            "digest": {
                "function_hash": "64113376251264012390907345139382319409",
                "length": 139.0
            },
            "target": {
                "file": "src/test/java/spark/examples/staticresources/StaticResources.java",
                "function": "main"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-952a0d13",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "87684921832241687655918292211404016033",
                    "203302334733713338374274547450383163040",
                    "113977888416467995475895392042005865798",
                    "21927431905462535650519807918157491603",
                    "109893655024287940479510345397907846048",
                    "286049604279402165989529531468170763352",
                    "197026777102521465984156477188169581391",
                    "243611144339414696933723193260786826758",
                    "250061207768756530094767290408518415088",
                    "109840624392325360607145220768160060738",
                    "161635664085484397923725767185940645384",
                    "144773806321077148415617847768478621991",
                    "4347417068422738849648497407623805833",
                    "16953184574559664618845260413091234815",
                    "127201986570462198472398664917130125250",
                    "150457341653248163634371547278868393298",
                    "207811836463165821768205397610717725711",
                    "262979691645198576983505896010398452855",
                    "210348588525144921477800355477223308613",
                    "289202858452058403346943218127179283341",
                    "236914022717968287801981081482619168845",
                    "109840624392325360607145220768160060738",
                    "304520771673068591326627680622927800585",
                    "43298933005894150647276526513891420220",
                    "322468652947825938955004406889543915776",
                    "286583568098876652245465404422758834568",
                    "127201986570462198472398664917130125250",
                    "150457341653248163634371547278868393298",
                    "42360580988981891095812930143999256984",
                    "41813541162666565704516703163454305271",
                    "316304691304349232277688092453454538288",
                    "181157380099642672367145798355441124597",
                    "255074620180927161392556015134125008215"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        },
        {
            "id": "CVE-2018-9159-95b6d256",
            "signature_type": "Function",
            "digest": {
                "function_hash": "120874310715886771716198509071211151694",
                "length": 541.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "create_withNullThreadPool"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        },
        {
            "id": "CVE-2018-9159-b68cb132",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "87684921832241687655918292211404016033",
                    "203302334733713338374274547450383163040",
                    "113977888416467995475895392042005865798",
                    "21927431905462535650519807918157491603",
                    "109893655024287940479510345397907846048",
                    "286049604279402165989529531468170763352",
                    "197026777102521465984156477188169581391",
                    "243611144339414696933723193260786826758",
                    "250061207768756530094767290408518415088",
                    "109840624392325360607145220768160060738",
                    "161635664085484397923725767185940645384",
                    "144773806321077148415617847768478621991",
                    "4347417068422738849648497407623805833",
                    "16953184574559664618845260413091234815",
                    "127201986570462198472398664917130125250",
                    "150457341653248163634371547278868393298",
                    "207811836463165821768205397610717725711",
                    "262979691645198576983505896010398452855",
                    "210348588525144921477800355477223308613",
                    "289202858452058403346943218127179283341",
                    "236914022717968287801981081482619168845",
                    "109840624392325360607145220768160060738",
                    "304520771673068591326627680622927800585",
                    "43298933005894150647276526513891420220",
                    "322468652947825938955004406889543915776",
                    "286583568098876652245465404422758834568",
                    "127201986570462198472398664917130125250",
                    "150457341653248163634371547278868393298",
                    "42360580988981891095812930143999256984",
                    "41813541162666565704516703163454305271",
                    "316304691304349232277688092453454538288",
                    "181157380099642672367145798355441124597",
                    "255074620180927161392556015134125008215"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-c34e2cae",
            "signature_type": "Function",
            "digest": {
                "function_hash": "179213600700823365691695209879720642924",
                "length": 549.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "create_withThreadPool"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        },
        {
            "id": "CVE-2018-9159-c365d6de",
            "signature_type": "Function",
            "digest": {
                "function_hash": "95696730264757576704280536816030987842",
                "length": 101.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "tearDown"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        },
        {
            "id": "CVE-2018-9159-d15e94c8",
            "signature_type": "Function",
            "digest": {
                "function_hash": "95696730264757576704280536816030987842",
                "length": 101.0
            },
            "target": {
                "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java",
                "function": "tearDown"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"
        },
        {
            "id": "CVE-2018-9159-e0b78b55",
            "signature_type": "Function",
            "digest": {
                "function_hash": "64113376251264012390907345139382319409",
                "length": 139.0
            },
            "target": {
                "file": "src/test/java/spark/examples/staticresources/StaticResources.java",
                "function": "main"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"
        }
    ]
}