CVE-2022-26612

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-26612

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26612.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-26612

Aliases

GHSA-gx2c-fvhc-ph4j

Downstream

OESA-2022-2092

Published

2022-04-07T19:15:08.917Z

Modified

2026-04-11T22:01:36.539857Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

References

Affected packages

Git / github.com/apache/hadoop

Affected ranges

Type

GIT

Repo

https://github.com/apache/hadoop

Events

Introduced

Fixed

abe5358143720085498613d399be3bbf01e0f131

Introduced

Last affected

a3b9c37a397ad4188041dd80621bdeefc46885f2

Introduced

Last affected

0bcb014209e219273cb6fd4152df7df713cbac61

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.1-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.2-NA"
        }
    ]
}

Affected versions

rel/release-3.*

rel/release-3.3.1

rel/release-3.3.2

release-3.*

release-3.2.3-RC0

release-3.3.1-RC1

release-3.3.1-RC2

release-3.3.1-RC3

release-3.3.2-RC0

release-3.3.2-RC1

release-3.3.2-RC2

release-3.3.2-RC3

release-3.3.2-RC4

release-3.3.2-RC5

Other

remove-ozone

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26612.json"

vanir_signatures_modified

"2026-04-11T22:01:36Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/hadoop/commit/abe5358143720085498613d399be3bbf01e0f131",
        "digest": {
            "function_hash": "172508901140850166315077168976677568660",
            "length": 705.0
        },
        "id": "CVE-2022-26612-cf0079d5",
        "deprecated": false,
        "target": {
            "file": "hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java",
            "function": "getTimeDurationHelper"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/hadoop/commit/abe5358143720085498613d399be3bbf01e0f131",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "117241420199337029436298470313516342337",
                "10911464053357943410825609861845695837",
                "240437666491262468440316638114074933731",
                "226622566833744400926285549106341911654",
                "249375286985992668764075164756526076674"
            ]
        },
        "id": "CVE-2022-26612-f2b0819d",
        "deprecated": false,
        "target": {
            "file": "hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java"
        }
    }
]