In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.
{ "vanir_signatures": [ { "id": "CVE-2018-9159-0742679b", "signature_type": "Function", "digest": { "function_hash": "274702336924059045220315384900798018436", "length": 300.0 }, "target": { "file": "src/main/java/spark/resource/ClassPathResource.java", "function": "ClassPathResource" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc" }, { "id": "CVE-2018-9159-4ee58890", "signature_type": "Function", "digest": { "function_hash": "219633218909508915481604138220538051052", "length": 521.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "create" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-55525914", "signature_type": "Line", "digest": { "line_hashes": [ "133574792449731335973132868950198151485", "257335335481046230452541955730993069407", "146347350014249225707936122791708957197", "27037493179672744181024679700312450242", "313803090016706940698633496826837476773", "33798052502027166477155591057003484516", "35951155358591919279284354601871982735", "50891235107509836565086710491809777914", "227746082498725766585249290947778507819", "78643588118164563811600209927503611429", "128518321016854476958753224378072799421", "102303229732135921039883977462325960838", "316169523400522485333593800826273965365", "307550373801888361413622648419519866793", "149347804708953280852197626847695323069", "97092449092396147546741741262192161355", "75354933614802155443685682540736087169", "6225964087671448554189277302471068652", "128911233388898022081993511526637797934", "20582418890213729740817369797123023759", "86637881585553651381575599551793686071", "95616049086595697315593951527548584110", "309040912853249409675696415388210279379", "181339899984622736611298041871185218368", "32749052534756466232436631032614112002", "148701747064394071540242646322172657629", "235891000172328819522632093526256659730", "10790970577727228227156164546475958632", "296426743375805939393225872531094909024", "317946392185310770365500093109003751912", "94998173725053777680939313577048355562" ], "threshold": 0.9 }, "target": { "file": "src/main/java/spark/resource/ClassPathResource.java" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc" }, { "id": "CVE-2018-9159-5c0f7f16", "signature_type": "Line", "digest": { "line_hashes": [ "79044289685893448828556408087668939929", "146671743541681319602796040391763348176", "9923588346558998668865636485014071861", "233455152842927483800061477439479287087", "122891342578570406157162985985503480276", "57847457026306637878891409164820504137" ], "threshold": 0.9 }, "target": { "file": "src/test/java/spark/examples/staticresources/StaticResources.java" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" }, { "id": "CVE-2018-9159-63130b8f", "signature_type": "Function", "digest": { "function_hash": "179213600700823365691695209879720642924", "length": 549.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "create_withThreadPool" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-6468306d", "signature_type": "Function", "digest": { "function_hash": "219633218909508915481604138220538051052", "length": 521.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "create" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" }, { "id": "CVE-2018-9159-6dcf90ab", "signature_type": "Line", "digest": { "line_hashes": [ "79044289685893448828556408087668939929", "146671743541681319602796040391763348176", "9923588346558998668865636485014071861", "233455152842927483800061477439479287087", "122891342578570406157162985985503480276", "57847457026306637878891409164820504137" ], "threshold": 0.9 }, "target": { "file": "src/test/java/spark/examples/staticresources/StaticResources.java" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-7b08928e", "signature_type": "Function", "digest": { "function_hash": "120874310715886771716198509071211151694", "length": 541.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "create_withNullThreadPool" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-9037907a", "signature_type": "Function", "digest": { "function_hash": "64113376251264012390907345139382319409", "length": 139.0 }, "target": { "file": "src/test/java/spark/examples/staticresources/StaticResources.java", "function": "main" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-952a0d13", "signature_type": "Line", "digest": { "line_hashes": [ "87684921832241687655918292211404016033", "203302334733713338374274547450383163040", "113977888416467995475895392042005865798", "21927431905462535650519807918157491603", "109893655024287940479510345397907846048", "286049604279402165989529531468170763352", "197026777102521465984156477188169581391", "243611144339414696933723193260786826758", "250061207768756530094767290408518415088", "109840624392325360607145220768160060738", "161635664085484397923725767185940645384", "144773806321077148415617847768478621991", "4347417068422738849648497407623805833", "16953184574559664618845260413091234815", "127201986570462198472398664917130125250", "150457341653248163634371547278868393298", "207811836463165821768205397610717725711", "262979691645198576983505896010398452855", "210348588525144921477800355477223308613", "289202858452058403346943218127179283341", "236914022717968287801981081482619168845", "109840624392325360607145220768160060738", "304520771673068591326627680622927800585", "43298933005894150647276526513891420220", "322468652947825938955004406889543915776", "286583568098876652245465404422758834568", "127201986570462198472398664917130125250", "150457341653248163634371547278868393298", "42360580988981891095812930143999256984", "41813541162666565704516703163454305271", "316304691304349232277688092453454538288", "181157380099642672367145798355441124597", "255074620180927161392556015134125008215" ], "threshold": 0.9 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" }, { "id": "CVE-2018-9159-95b6d256", "signature_type": "Function", "digest": { "function_hash": "120874310715886771716198509071211151694", "length": 541.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "create_withNullThreadPool" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" }, { "id": "CVE-2018-9159-b68cb132", "signature_type": "Line", "digest": { "line_hashes": [ "87684921832241687655918292211404016033", "203302334733713338374274547450383163040", "113977888416467995475895392042005865798", "21927431905462535650519807918157491603", "109893655024287940479510345397907846048", "286049604279402165989529531468170763352", "197026777102521465984156477188169581391", "243611144339414696933723193260786826758", "250061207768756530094767290408518415088", "109840624392325360607145220768160060738", "161635664085484397923725767185940645384", "144773806321077148415617847768478621991", "4347417068422738849648497407623805833", "16953184574559664618845260413091234815", "127201986570462198472398664917130125250", "150457341653248163634371547278868393298", "207811836463165821768205397610717725711", "262979691645198576983505896010398452855", "210348588525144921477800355477223308613", "289202858452058403346943218127179283341", "236914022717968287801981081482619168845", "109840624392325360607145220768160060738", "304520771673068591326627680622927800585", "43298933005894150647276526513891420220", "322468652947825938955004406889543915776", "286583568098876652245465404422758834568", "127201986570462198472398664917130125250", "150457341653248163634371547278868393298", "42360580988981891095812930143999256984", "41813541162666565704516703163454305271", "316304691304349232277688092453454538288", "181157380099642672367145798355441124597", "255074620180927161392556015134125008215" ], "threshold": 0.9 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-c34e2cae", "signature_type": "Function", "digest": { "function_hash": "179213600700823365691695209879720642924", "length": 549.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "create_withThreadPool" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" }, { "id": "CVE-2018-9159-c365d6de", "signature_type": "Function", "digest": { "function_hash": "95696730264757576704280536816030987842", "length": 101.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "tearDown" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" }, { "id": "CVE-2018-9159-d15e94c8", "signature_type": "Function", "digest": { "function_hash": "95696730264757576704280536816030987842", "length": 101.0 }, "target": { "file": "src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java", "function": "tearDown" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd" }, { "id": "CVE-2018-9159-e0b78b55", "signature_type": "Function", "digest": { "function_hash": "64113376251264012390907345139382319409", "length": 139.0 }, "target": { "file": "src/test/java/spark/examples/staticresources/StaticResources.java", "function": "main" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668" } ] }