CVE-2022-26612 — Link Following in Software Foundation Apache Hadoop

CWE-59 — Link Following CWE-22 — Path Traversal CWE-281 — Improper Preservation of Permissions7 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 59.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Hadoop Apache Hadoop

Timeline

PublishedApr 7

Latest updateOct 15

Description

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalP…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/hadoop< 3.2.3+2

▶CVEListV5apache_software_foundation/apache_hadoopunspecified — 3.2.3+2

🔴Vulnerability Details

GHSA

Path traversal in Hadoop↗2022-04-08

▶

OSV

Path traversal in Hadoop↗2022-04-08

▶

CVEList

Arbitrary file write in FileUtil#unpackEntries on Windows↗2022-04-07

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Hadoop) — CVE-2022-26612↗2023-10-15

▶

Red Hat

hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows↗2022-04-07

▶

Apache

Apache hadoop: CVE-2022-26612↗

▶