{"id":"CVE-2018-9159","details":"In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.","aliases":["GHSA-76qr-mmh8-cp8f"],"modified":"2026-02-13T01:38:00.925839Z","published":"2018-03-31T21:29:00.373Z","related":["SUSE-RU-2018:2639-1","SUSE-SU-2018:2689-1"],"references":[{"type":"ADVISORY","url":"http://sparkjava.com/news#spark-272-released"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2020"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2405"},{"type":"ADVISORY","url":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"type":"ADVISORY","url":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"type":"ADVISORY","url":"https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc"},{"type":"ADVISORY","url":"https://github.com/perwendel/spark/issues/981"},{"type":"REPORT","url":"https://github.com/perwendel/spark/issues/981"},{"type":"FIX","url":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"type":"FIX","url":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"type":"FIX","url":"https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/perwendel/spark","events":[{"introduced":"0"},{"fixed":"030e9d00125cbd1ad759668f85488aba1019c668"},{"introduced":"0"},{"fixed":"a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"introduced":"0"},{"fixed":"ce9e11517eca69e58ed4378d1e47a02bd06863cc"}]}],"versions":["0.9.9.4","1.0","1.1","1.1.1","1.1.2","2.0.0","2.1","2.2","2.3","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6.0","2.7.0","2.7.1"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","id":"CVE-2018-9159-0742679b","target":{"function":"ClassPathResource","file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"length":300,"function_hash":"274702336924059045220315384900798018436"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc"},{"signature_version":"v1","id":"CVE-2018-9159-4ee58890","target":{"function":"create","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":521,"function_hash":"219633218909508915481604138220538051052"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-55525914","target":{"file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"threshold":0.9,"line_hashes":["133574792449731335973132868950198151485","257335335481046230452541955730993069407","146347350014249225707936122791708957197","27037493179672744181024679700312450242","313803090016706940698633496826837476773","33798052502027166477155591057003484516","35951155358591919279284354601871982735","50891235107509836565086710491809777914","227746082498725766585249290947778507819","78643588118164563811600209927503611429","128518321016854476958753224378072799421","102303229732135921039883977462325960838","316169523400522485333593800826273965365","307550373801888361413622648419519866793","149347804708953280852197626847695323069","97092449092396147546741741262192161355","75354933614802155443685682540736087169","6225964087671448554189277302471068652","128911233388898022081993511526637797934","20582418890213729740817369797123023759","86637881585553651381575599551793686071","95616049086595697315593951527548584110","309040912853249409675696415388210279379","181339899984622736611298041871185218368","32749052534756466232436631032614112002","148701747064394071540242646322172657629","235891000172328819522632093526256659730","10790970577727228227156164546475958632","296426743375805939393225872531094909024","317946392185310770365500093109003751912","94998173725053777680939313577048355562"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/ce9e11517eca69e58ed4378d1e47a02bd06863cc"},{"signature_version":"v1","id":"CVE-2018-9159-5c0f7f16","target":{"file":"src/test/java/spark/examples/staticresources/StaticResources.java"},"digest":{"threshold":0.9,"line_hashes":["79044289685893448828556408087668939929","146671743541681319602796040391763348176","9923588346558998668865636485014071861","233455152842927483800061477439479287087","122891342578570406157162985985503480276","57847457026306637878891409164820504137"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-63130b8f","target":{"function":"create_withThreadPool","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":549,"function_hash":"179213600700823365691695209879720642924"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-6468306d","target":{"function":"create","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":521,"function_hash":"219633218909508915481604138220538051052"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-6997da3d","target":{"function":"doesNotContainFileColon","file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"length":74,"function_hash":"229579973618335073010886728770567009828"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-6dcf90ab","target":{"file":"src/test/java/spark/examples/staticresources/StaticResources.java"},"digest":{"threshold":0.9,"line_hashes":["79044289685893448828556408087668939929","146671743541681319602796040391763348176","9923588346558998668865636485014071861","233455152842927483800061477439479287087","122891342578570406157162985985503480276","57847457026306637878891409164820504137"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-7b08928e","target":{"function":"create_withNullThreadPool","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":541,"function_hash":"120874310715886771716198509071211151694"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-9037907a","target":{"function":"main","file":"src/test/java/spark/examples/staticresources/StaticResources.java"},"digest":{"length":139,"function_hash":"64113376251264012390907345139382319409"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-952a0d13","target":{"file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"threshold":0.9,"line_hashes":["87684921832241687655918292211404016033","203302334733713338374274547450383163040","113977888416467995475895392042005865798","21927431905462535650519807918157491603","109893655024287940479510345397907846048","286049604279402165989529531468170763352","197026777102521465984156477188169581391","243611144339414696933723193260786826758","250061207768756530094767290408518415088","109840624392325360607145220768160060738","161635664085484397923725767185940645384","144773806321077148415617847768478621991","4347417068422738849648497407623805833","16953184574559664618845260413091234815","127201986570462198472398664917130125250","150457341653248163634371547278868393298","207811836463165821768205397610717725711","262979691645198576983505896010398452855","210348588525144921477800355477223308613","289202858452058403346943218127179283341","236914022717968287801981081482619168845","109840624392325360607145220768160060738","304520771673068591326627680622927800585","43298933005894150647276526513891420220","322468652947825938955004406889543915776","286583568098876652245465404422758834568","127201986570462198472398664917130125250","150457341653248163634371547278868393298","42360580988981891095812930143999256984","41813541162666565704516703163454305271","316304691304349232277688092453454538288","181157380099642672367145798355441124597","255074620180927161392556015134125008215"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-95b6d256","target":{"function":"create_withNullThreadPool","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":541,"function_hash":"120874310715886771716198509071211151694"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-9d77223f","target":{"file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"threshold":0.9,"line_hashes":["86338898302799134317004704633949531730","246007829359782286723457869738016452538","77488092609406731583216030235522864998","309862899411657841201371493812586809577","148800470129033171362188369011312650604","178048244493998185861343722394331395268","318106029286125956235210808608392703608","238528561277607759608676991767827207371","105765673471306735563995424288568153921","299683914653507249700997292524093176130","111544296669309098648885990631183054565","203636115368687859759167628973491452716","115334725157305393877678767885727777493","235891000172328819522632093526256659730","10790970577727228227156164546475958632","296426743375805939393225872531094909024","317946392185310770365500093109003751912","94998173725053777680939313577048355562"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-9d95c2f0","target":{"function":"ClassPathResource","file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"length":377,"function_hash":"303368326149750333144831279750599636055"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-b68cb132","target":{"file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"threshold":0.9,"line_hashes":["87684921832241687655918292211404016033","203302334733713338374274547450383163040","113977888416467995475895392042005865798","21927431905462535650519807918157491603","109893655024287940479510345397907846048","286049604279402165989529531468170763352","197026777102521465984156477188169581391","243611144339414696933723193260786826758","250061207768756530094767290408518415088","109840624392325360607145220768160060738","161635664085484397923725767185940645384","144773806321077148415617847768478621991","4347417068422738849648497407623805833","16953184574559664618845260413091234815","127201986570462198472398664917130125250","150457341653248163634371547278868393298","207811836463165821768205397610717725711","262979691645198576983505896010398452855","210348588525144921477800355477223308613","289202858452058403346943218127179283341","236914022717968287801981081482619168845","109840624392325360607145220768160060738","304520771673068591326627680622927800585","43298933005894150647276526513891420220","322468652947825938955004406889543915776","286583568098876652245465404422758834568","127201986570462198472398664917130125250","150457341653248163634371547278868393298","42360580988981891095812930143999256984","41813541162666565704516703163454305271","316304691304349232277688092453454538288","181157380099642672367145798355441124597","255074620180927161392556015134125008215"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-c34e2cae","target":{"function":"create_withThreadPool","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":549,"function_hash":"179213600700823365691695209879720642924"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-c365d6de","target":{"function":"tearDown","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":101,"function_hash":"95696730264757576704280536816030987842"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-d15e94c8","target":{"function":"tearDown","file":"src/test/java/spark/embeddedserver/jetty/EmbeddedJettyFactoryTest.java"},"digest":{"length":101,"function_hash":"95696730264757576704280536816030987842"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-d83c35b7","target":{"file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"threshold":0.9,"line_hashes":["86338898302799134317004704633949531730","246007829359782286723457869738016452538","77488092609406731583216030235522864998","309862899411657841201371493812586809577","148800470129033171362188369011312650604","178048244493998185861343722394331395268","318106029286125956235210808608392703608","238528561277607759608676991767827207371","105765673471306735563995424288568153921","299683914653507249700997292524093176130","111544296669309098648885990631183054565","203636115368687859759167628973491452716","115334725157305393877678767885727777493","235891000172328819522632093526256659730","10790970577727228227156164546475958632","296426743375805939393225872531094909024","317946392185310770365500093109003751912","94998173725053777680939313577048355562"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-e0b78b55","target":{"function":"main","file":"src/test/java/spark/examples/staticresources/StaticResources.java"},"digest":{"length":139,"function_hash":"64113376251264012390907345139382319409"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"},{"signature_version":"v1","id":"CVE-2018-9159-e0fcb3cc","target":{"function":"ClassPathResource","file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"length":377,"function_hash":"303368326149750333144831279750599636055"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/a221a864db28eb736d36041df2fa6eb8839fc5cd"},{"signature_version":"v1","id":"CVE-2018-9159-f865cd5b","target":{"function":"doesNotContainFileColon","file":"src/main/java/spark/resource/ClassPathResource.java"},"digest":{"length":74,"function_hash":"229579973618335073010886728770567009828"},"deprecated":false,"signature_type":"Function","source":"https://github.com/perwendel/spark/commit/030e9d00125cbd1ad759668f85488aba1019c668"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9159.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}