[MAVEN:GHSA-6X48-J4X4-CQW3] Path Traversal in Hadoop

Severity High

Affected Packages 5

Fixed Packages 5

CVEs 1

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

Package	Affected Version
pkg:maven/org.apache.hadoop/hadoop-main	< 2.7.7
pkg:maven/org.apache.hadoop/hadoop-main	>= 2.8.0, < 2.8.5
pkg:maven/org.apache.hadoop/hadoop-main	>= 2.9.0, < 2.9.2
pkg:maven/org.apache.hadoop/hadoop-main	>= 3.0.0, < 3.0.3
pkg:maven/org.apache.hadoop/hadoop-main	= 3.1.0

Package	Fixed Version
pkg:maven/org.apache.hadoop/hadoop-main	= 2.7.7
pkg:maven/org.apache.hadoop/hadoop-main	= 2.8.5
pkg:maven/org.apache.hadoop/hadoop-main	= 2.9.2
pkg:maven/org.apache.hadoop/hadoop-main	= 3.0.3
pkg:maven/org.apache.hadoop/hadoop-main	= 3.1.1

ID

MAVEN:GHSA-6X48-J4X4-CQW3

Severity

high

URL

https://github.com/advisories/GHSA-6x48-j4x4-cqw3

Published

2018-12-21T17:50:29
(5 years ago)

Modified

2023-01-09T05:03:57
(20 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-8009
			https://access.redhat.com/errata/RHSA-2019:3892
			https://github.com/advisories/GHSA-6x48-j4x4-cqw3
			https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop
			https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
			https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E
			https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
			https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
			https://snyk.io/research/zip-slip-vulnerability
			http://www.securityfocus.com/bid/105927

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	< 2.7.7
Fixed	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	= 2.7.7
Affected	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	>= 2.8.0 < 2.8.5
Fixed	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	= 2.8.5
Affected	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	>= 2.9.0 < 2.9.2
Fixed	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	= 2.9.2
Affected	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	>= 3.0.0 < 3.0.3
Fixed	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	= 3.0.3
Affected	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	= 3.1.0
Fixed	pkg:maven/org.apache.hadoop/hadoop-main	org.apache.hadoop	hadoop-main	= 3.1.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date