CVE-2018-8008
N/A
N/A
Summary
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Storm | Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier | affected |
Weaknesses
- Arbitrary File Write
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E
- http://www.securityfocus.com/bid/104418
References
- https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E
- http://www.securityfocus.com/bid/104418
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.