CVE-2018-8009

CWE-22Path TraversalCWE-20Improper Input ValidationCWE-862Missing Authorization9 documents7 sources
Severity
8.8HIGH
EPSS
5.9%
top 9.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache HadoopApache Software Foundation Apache Hadoop
Timeline
PublishedNov 13
Latest updateDec 21

Description

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.hadoop:hadoop-main3.1.03.1.1+4
NVDapache/hadoop0.23.00.23.11+7
CVEListV5apache_software_foundation/apache_hadoopApache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11

🔴Vulnerability Details

3
OSV
Path Traversal in Hadoop2018-12-21
GHSA
Path Traversal in Hadoop2018-12-21
CVEList
CVE-2018-8009: Apache Hadoop 32018-11-13

📋Vendor Advisories

3
Red Hat
redhat-certification: "restart" a node without authorization2018-06-21
Red Hat
hadoop: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file2018-06-05
Apache
Apache hadoop: CVE-2018-8009

💬Community

2
Bugzilla
CVE-2018-8009 hadoop: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file [fedora-all]2018-06-19
Bugzilla
CVE-2018-8009 hadoop: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file2018-06-19