Описание
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
Отчет
This issue did not affect the versions of rhs-hadoop as shipped with Red Hat Gluster Storage 3. For JBoss Fuse 6.3 and 7 standalone, while they ship vulnerable artifact via camel-hbase, camel-hdfs2 (fuse 6.3) and camel-hdfs2 (fuse 7), there's no invocation on the flawed code that could lead to an unzip operation. So fuse 6.3, 7 standalone are not affected. However FIS 2.0 and Fuse 7 on OpenShift ship vulnerable artifact via maven BOM, so setting fuse as affected for this reason.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | camel | Not affected | ||
| Red Hat JBoss Fuse 6 | camel | Not affected | ||
| Red Hat Storage 3 | rhs-hadoop | Not affected | ||
| Red Hat Fuse 7.5.0 | Fixed | RHSA-2019:3892 | 14.11.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2. ...
Уязвимость компонента YARN NodeManager платформы для распределенной разработки и выполнения программ Apache Hadoop, позволяющая нарушителю обойти существующие ограничения безопасности и внедрить вредоносный код в zip-файл
EPSS
6.3 Medium
CVSS3