Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg5Z2MtNmN3Ni00dmNo
Spark allows remote attackers to read arbitrary files via a .. (dot dot) in the URI
Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
Permalink: https://github.com/advisories/GHSA-89gc-6cw6-4vchJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg5Z2MtNmN3Ni00dmNo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-89gc-6cw6-4vch, CVE-2016-9177
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-9177
- https://github.com/perwendel/spark/issues/700
- https://access.redhat.com/errata/RHSA-2017:0868
- https://github.com/advisories/GHSA-89gc-6cw6-4vch
- http://seclists.org/fulldisclosure/2016/Nov/13
- http://www.securityfocus.com/bid/94218
Blast Radius: 30.8
Affected Packages
maven:com.sparkjava:spark-core
Dependent packages: 221Dependent repositories: 12,812
Downloads:
Affected Version Ranges: < 2.5.2
Fixed in: 2.5.2
All affected versions: 1.1.1, 2.0.0, 2.5.1
All unaffected versions: 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4