Bug 1393607 (CVE-2016-9177) - CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5
Summary: CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5
Keywords:
Status: NEW
Alias: CVE-2016-9177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1391371
TreeView+ depends on / blocked
 
Reported: 2016-11-10 00:20 UTC by Hooman Broujerdi
Modified: 2019-09-29 13:59 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0868 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update 2017-04-04 01:02:28 UTC

Description Hooman Broujerdi 2016-11-10 00:20:13 UTC
A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data.

External References:

http://seclists.org/fulldisclosure/2016/Nov/13

Comment 2 errata-xmlrpc 2017-04-03 21:03:16 UTC
This issue has been addressed in the following products:



Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868

Comment 3 errata-xmlrpc 2018-07-02 15:51:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868


Note You need to log in before you can comment on or make changes to this bug.