CVE-2018-11804
Description
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Spark's build script runs a zinc server that exposes developer files to external hosts due to default bind.
Vulnerability
The build script build/mvn in Apache Spark downloads and runs a zinc server to expedite compilation [2]. This server binds to all interfaces by default, allowing network connections from external hosts. The vulnerability exists in all Spark versions from 1.3.x up to and including 2.4, as listed in [4]. The issue only affects developers building Spark from source, not end users [2].
Exploitation
An attacker on the same network (or able to reach the zinc server port) can send a specially-crafted request to the server. No authentication is required. The server then reveals the content of files readable by the developer account running the build [2].
Impact
Successful exploitation results in information disclosure of arbitrary files on the build system that are readable by the developer [2]. The attacker does not gain code execution or system control.
Mitigation
No official patch has been released by the Apache Spark project. Developers should ensure that the zinc server is not accessible from untrusted networks by using firewalls or running builds in isolated environments. Alternatively, avoid using the build/mvn script on systems exposed to potentially hostile networks [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-core_2.11Maven | >= 1.3.0, <= 2.1.3 | — |
org.apache.spark:spark-core_2.10Maven | >= 1.3.0, <= 2.1.3 | — |
Affected products
3- ghsa-coords2 versions
>= 1.3.0, <= 2.1.3+ 1 more
- (no CPE)range: >= 1.3.0, <= 2.1.3
- (no CPE)range: >= 1.3.0, <= 2.1.3
- Apache Software Foundation/Apache Sparkv5Range: 1.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-62g2-m955-v383ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11804ghsaADVISORY
- www.securityfocus.com/bid/105756mitrevdb-entryx_refsource_BID
- lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d%40%3Cdev.spark.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/2b11aa4201e36f2ec8f728e722fe33758410f07784379cbefd0bda9d@%3Cdev.spark.apache.org%3EghsaWEB
- spark.apache.org/security.htmlghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227103903/http://www.securityfocus.com/bid/105756ghsaWEB
News mentions
0No linked articles in our index yet.