CVE-2018-8008

Опубликовано: 05 июн. 2018

Источник: nvd

CVSS3: 5.5

CVSS2: 5.8

EPSS Средний

Описание

Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

Ссылки

http://www.securityfocus.com/bid/104418
Third Party Advisory
VDB Entry
https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E
http://www.securityfocus.com/bid/104418
Third Party Advisory
VDB Entry
https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Версия до 1.0.6 (включая)

Конфигурация 2

cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Версия до 1.1.2 (включая)

Конфигурация 3

cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*

Версия до 1.2.1 (включая)

EPSS

Процентиль: 94%

0.1535

Средний

5.5 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-898j-5cc8-cmf5

CVSS3: 5.5

github

больше 7 лет назад

ZipSlip in org.apache.storm:storm-core

EPSS

Процентиль: 94%

0.1535

Средний

5.5 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-22