NVD Vulnerability Detail

CVE-2018-11804

Summary	Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
Publication Date	Oct. 25, 2018, 3:29 a.m.
Registration Date	March 1, 2021, 6:47 p.m.
Last Update	Nov. 21, 2024, 12:44 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/105756	Broken Link Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/105756	Broken Link Third Party Advisory VDB Entry
3	https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E	Mailing List Third Party Advisory
4	https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3E	Mailing List Third Party Advisory
5	https://spark.apache.org/security.html#CVE-2018-11804	Mitigation Vendor Advisory
6	https://spark.apache.org/security.html#CVE-2018-11804	Mitigation Vendor Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Spark Apache Maven-based における脆弱性

Title	Spark Apache Maven-based における脆弱性
Summary	Spark Apache Maven-based には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 24, 2018, midnight
Registration Date	Jan. 21, 2019, 5:24 p.m.
Last Update	July 1, 2024, 12:19 p.m.

Affected System

Apache Software Foundation

Apache Spark 1.3.x release branch

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Apache Mail Archives
1	CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines	https://lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@%3Cdev.spark.apache.org%3E
Apache Software Foundation
2	CVE-2018-11804: Apache Spark build/mvn runs zinc, and can expose information from build machines	https://spark.apache.org/security.html#CVE-2018-11804
Common Vulnerabilities and Exposures (CVE)
3	CVE-2018-11804	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11804
National Vulnerability Database (NVD)
4	CVE-2018-11804	https://nvd.nist.gov/vuln/detail/CVE-2018-11804

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

Change Log

No	Changed Details	Date of change
1	[2019年01月21日] 掲載	Jan. 21, 2019, 5:24 p.m.
2	[2024年07月01日] タイトル：内容を更新概要：内容を更新 CWE による脆弱性タイプ一覧：内容を更新	July 1, 2024, 11:09 a.m.