CVE-2018-9159 – spark: Absolute and relative pathnames allow for unintended static file disclosure
https://notcve.org/view.php?id=CVE-2018-9159
In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark. En Spark en versiones anteriores a la 2.7.2, un atacante remoto puede leer archivos estáticos no deseados mediante varias representaciones de nombres de ruta relativos o absolutos, tal y como queda demostrado con las secuencias de URL de archivos y saltos de directorio. NOTA: este producto no está relacionado con Ignite Realtime Spark. • http://sparkjava.com/news#spark-272-released https://access.redhat.com/errata/RHSA-2018:2020 https://access.redhat.com/errata/RHSA-2018:2405 https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668 https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc https://github.com/perwendel/spark/issues/981 https://access.redhat.com/security/cve/CVE-2018-9159 https://bugzilla.redhat.com/show_bug • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-9177 – Spark: Directory traversal vulnerability in version 2.5
https://notcve.org/view.php?id=CVE-2016-9177
Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. Vulnerabilidad de salto de directorio en Spark 2.5 permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en la URI. A path traversal issue was found in Spark version 2.5 and potentially earlier versions. • http://seclists.org/fulldisclosure/2016/Nov/13 http://www.securityfocus.com/bid/94218 https://access.redhat.com/errata/RHSA-2017:0868 https://github.com/perwendel/spark/issues/700 https://access.redhat.com/security/cve/CVE-2016-9177 https://bugzilla.redhat.com/show_bug.cgi?id=1393607 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •