Web application abuses : Apache Hadoop before 3.1.1, 3.0.3, 2.8.5, 2.7.7 Zip Slip Vulnerability

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.112430

Categoría: Web application abuses

Título: Apache Hadoop before 3.1.1, 3.0.3, 2.8.5, 2.7.7 Zip Slip Vulnerability

Resumen: Apache Hadoop is prone to the 'Zip Slip' Vulnerability.

Descripción: Summary:
Apache Hadoop is prone to the 'Zip Slip' Vulnerability.

Vulnerability Insight:
The vulnerability is exploited using a specially crafted archive that
holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats,
including tar, jar, war, cpio, apk, rar and 7z.

Vulnerability Impact:
Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive.
The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the
target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait
for the system or user to call them, thus achieving remote command execution on the victim's machine. The vulnerability can also cause
damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

Affected Software/OS:
Apache Hadoop versions 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11.

Solution:
Update to version 3.1.1, 3.0.3, 2.8.5 or 2.7.7 respectively.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2018-8009
BugTraq ID: 105927
http://www.securityfocus.com/bid/105927
https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop
https://snyk.io/research/zip-slip-vulnerability
https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
RedHat Security Advisories: RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:3892

Copyright Copyright (C) 2018 Greenbone Networks GmbH

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.112430
Categoría:	Web application abuses
Título:	Apache Hadoop before 3.1.1, 3.0.3, 2.8.5, 2.7.7 Zip Slip Vulnerability
Resumen:	Apache Hadoop is prone to the 'Zip Slip' Vulnerability.
Descripción:	Summary: Apache Hadoop is prone to the 'Zip Slip' Vulnerability. Vulnerability Insight: The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. Vulnerability Impact: Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers. Affected Software/OS: Apache Hadoop versions 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11. Solution: Update to version 3.1.1, 3.0.3, 2.8.5 or 2.7.7 respectively. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2018-8009 BugTraq ID: 105927 http://www.securityfocus.com/bid/105927 https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop https://snyk.io/research/zip-slip-vulnerability https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E RedHat Security Advisories: RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892
Copyright	Copyright (C) 2018 Greenbone Networks GmbH