Apache Hadoop Common is vulnerable to zip-slip vulnerability. The vulnerability exists when the attacker inputs a malicious zip archive with filenames including file traversal characters such as dot dot (…), leading to concatenation of file path locating outside of the destination folder.
CPE | Name | Operator | Version |
---|---|---|---|
apache hadoop common | le | 3.1.0 | |
apache hadoop common | le | 2.9.1 | |
hive common | le | 1.2.2 | |
hive common | le | 3.0.0 | |
hadoop-common-instrumented | eq | 0.22.0 |
www.securityfocus.com/bid/105927
access.redhat.com/errata/RHSA-2019:3892
github.com/apache/hadoop/commit/745f203e577bacb35b042206db94615141fa5e6f
github.com/apache/hive/commit/6e6b0cb7b1950e6b0e4a19b0f9e2d185031dd83f
hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop
lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E
lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E