CVE-2018-8008

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-8008

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8008.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-8008

Aliases

GHSA-898j-5cc8-cmf5

Published

2018-06-05T19:29:00Z

Modified

2024-09-03T02:20:06.811029Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

References

Affected packages

Git / github.com/apache/storm

Affected ranges

Type: GIT
Repo: https://github.com/apache/storm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

0bb7a66a9b26ad96afc81b27dd45f93ae8969c44

Last affected

7993db01580ce62d44866dc00e0a7266984638d0

Last affected

d156d25d991311eaa1f5131d3dc34787f87ce684

Affected versions

0.*

0.9.0

0.9.0-rc1

0.9.0-rc2

0.9.0-rc3

0.9.0.1

Other

PRE_SECURITY_MERGE

v0.*

v0.9.1-incubating

v0.9.2-incubating

v0.9.2-incubating-security

v0.9.3

v0.9.3-rc1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.2.1