94 matches found
Deep Java Library 安全漏洞
Deep Java Library is an open source, high-level, engine-independent deep learning Java framework from Deep Java Library Open Source. A security vulnerability exists in Deep Java Library versions prior to 0.31.1, which stems from a path traversal issue in ZipUtils.unzip and TarUtils.untar that...
Arbitrary File Overwrite & RCE via Tarfile Path Traversal
Description The DJL package utilizes an untar function, for example, when downloading and saving models. Additionally, the untar function overwrites existing files. Therefore, the untar method includes the following two security measures to prevent misuse of its functionality. 1. Security measure...
SUSE CVE-2019-1002101
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could r...
BIT-JENKINS-2021-21689
FilePathunzip and FilePathuntar were not subject to any agent-to-controller access control in Jenkins LTS 2.303.2 and earlier...
Path Traversal
org.openrefine is vulnerable to Path Traversal. The vulnerability exists because the OpenRefine project tar files are not properly escaping their root directory in the untar function of FileProjectManager.java, which allows an attacker to access files outside the expected directory using relative...
The vulnerability of the API FileUtil.unTar(file, file) implementation in the Apache Hadoop distributed development and execution platform allows a attacker to execute arbitrary commands.
The vulnerability of the API FileUtil.unTarfile, file implementation in the Apache Hadoop distributed development and execution platform is related to the introduction or modification of arguments. Exploiting this vulnerability may allow a malicious actor to execute arbitrary commands remotely...
GHSA-8WM5-8H9C-47PC Apache Hadoop argument injection vulnerability
Apache Hadoop's FileUtil.unTarFile, File API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in...
Apache Hadoop argument injection vulnerability
Apache Hadoop's FileUtil.unTarFile, File API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in...
Apache Hadoop 操作系统命令注入漏洞
Apache Hadoop is an open source distributed system infrastructure from the Apache Foundation. The product is capable of distributed processing of large amounts of data and is highly reliable, scalable, and fault-tolerant. Apache Hadoop has a security vulnerability that stems from its...
PT-2022-3981
Name of the Vulnerable Software and Affected Versions Apache Hadoop versions prior to 2.10.2 Apache Hadoop versions prior to 3.2.4 Apache Hadoop versions prior to 3.3.3 Description The issue is related to the FileUtil.unTarFile, File API in Apache Hadoop, which does not escape the input file name...
The vulnerability in the implementation of the unTar() function for the distributed development and execution platform of Apache Hadoop allows a hacker to write arbitrary files.
The vulnerability of the unTar function implementation in the distributed development and execution platform for Apache Hadoop is related to deficiencies in checking the path name of the restricted-access directory. Exploiting this vulnerability could allow an attacker to write arbitrary files...
Path traversal in Hadoop
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...
CVE-2022-26612
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...
Xxe
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...
CVE-2022-26612
CVE-2022-26612 affects Apache Hadoop. The vulnerability arises during TAR extraction: Hadoop’s unTar uses unTarUsingJava on Windows and the built-in tar utility on other OSes, allowing a TAR entry to create a symlink pointing outside the extraction directory. A following TAR entry can write arbit...
CVE-2022-26612 Arbitrary file write in FileUtil#unpackEntries on Windows
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an...
PT-2022-2441 · Apache · Apache Hadoop
Name of the Vulnerable Software and Affected Versions: Apache Hadoop versions prior to 3.2.3 Description: The issue is related to the unTar function in Apache Hadoop, which uses the unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. This can lead to a TAR entr...
Symlink Attack in kubectl cp
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could r...
jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
An incorrect access control vulnerability was found in Jenkins. The FilePathunzip and FilePathuntar were not subjected to any access control. An attacker with access to FilePathunzip or FilePathuntar operations is able to read and write arbitrary files on the Jenkins controller file system...
jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
An incorrect permissions validation vulnerability was found in Jenkins. The FilePathuntar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system...