1393607 – (CVE-2016-9177) CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5

Bug 1393607 (CVE-2016-9177) - CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5

Summary: CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-9177
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1391371
TreeView+	depends on / blocked

Reported:	2016-11-10 00:20 UTC by Hooman Broujerdi
Modified:	2021-10-21 11:48 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-21 11:48:08 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0868	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update	2017-04-04 01:02:28 UTC

Description Hooman Broujerdi 2016-11-10 00:20:13 UTC

A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data.

External References:

http://seclists.org/fulldisclosure/2016/Nov/13

Comment 2 errata-xmlrpc 2017-04-03 21:03:16 UTC

This issue has been addressed in the following products:



Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868

Comment 3 errata-xmlrpc 2018-07-02 15:51:40 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868

Note You need to log in before you can comment on or make changes to this bug.