Vulnerability Description
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Storm | <= 1.0.6 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/104418Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79f
- http://www.securityfocus.com/bid/104418Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79f
FAQ
What is CVE-2018-8008?
CVE-2018-8008 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affec...
How severe is CVE-2018-8008?
CVE-2018-8008 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8008?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Storm.