Path Traversal in Hadoop · CVE-2018-8009 · GitHub Advisory Database · GitHub

Path Traversal in Hadoop

High severity GitHub Reviewed Published Dec 21, 2018 to the GitHub Advisory Database • Updated Mar 4, 2024

Package

org.apache.hadoop:hadoop-main (Maven)

Affected versions

= 3.1.0

>= 3.0.0, < 3.0.3

>= 2.9.0, < 2.9.2

>= 2.8.0, < 2.8.5

< 2.7.7

Patched versions

3.1.1

3.0.3

2.9.2

2.8.5

2.7.7

Description

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

References

Published to the GitHub Advisory Database Dec 21, 2018

Reviewed Jun 16, 2020

Last updated Mar 4, 2024

Severity

High

8.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H