CVE-2018-9159

spark: Absolute and relative pathnames allow for unintended static file disclosure

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.

En Spark en versiones anteriores a la 2.7.2, un atacante remoto puede leer archivos estáticos no deseados mediante varias representaciones de nombres de ruta relativos o absolutos, tal y como queda demostrado con las secuencias de URL de archivos y saltos de directorio. NOTA: este producto no está relacionado con Ignite Realtime Spark.

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Issues addressed include a file disclosure vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-03-31 CVE Reserved
2018-03-31 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (9)

URL	Tag	Source
https://github.com/perwendel/spark/issues/981	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668	2019-10-03
https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd	2019-10-03
https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc	2019-10-03

URL	Date	SRC
http://sparkjava.com/news#spark-272-released	2019-10-03
https://access.redhat.com/errata/RHSA-2018:2020	2019-10-03
https://access.redhat.com/errata/RHSA-2018:2405	2019-10-03
https://access.redhat.com/security/cve/CVE-2018-9159	2018-08-14
https://bugzilla.redhat.com/show_bug.cgi?id=1563732	2018-08-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sparkjava Search vendor "Sparkjava"		Spark Search vendor "Sparkjava" for product "Spark"				< 2.7.2 Search vendor "Sparkjava" for product "Spark" and version " < 2.7.2"		-		Affected