Arbitrary File Write Vulnerability in Apache Storm Affects Multiple Versions
CVE-2018-8008

5.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Storm
Vendor: CVE Published:; 5 June 2018

Summary

The vulnerability in Apache Storm versions 1.0.6 and earlier, 1.1.2 and earlier, and 1.2.1 and earlier allows attackers to exploit an arbitrary file write issue through specially crafted zip archives. This security flaw enables path traversal by manipulating filenames within the archive, which can lead to the extraction of files to unintended locations on the server. The vulnerability is not limited to zip files; it also impacts other archive formats such as bzip2, tar, xz, war, cpio, and 7z. Ensuring that your Apache Storm installations are updated is crucial to mitigate potential risks.

Affected Version(s)

Apache Storm Apache Storm 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier

References

https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/104418

vdb-entryx_refsource_BID

EPSS Score

15% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2018
Vulnerability Reserved
Mar 9, 2018